Hello, fairly new to Elastic Stack and having a play with the Watcher to try and get some useful threshold alerts.
One I'm struggling on is this scenario:
We have heartbeat which is monitoring various https websites, one of the metrics pulled back is "tls.certificate_not_valid_after" e.g. tls.certificate_not_valid_after = "August 12th 2021, 09:40:34.000".
I want to create a new threshold alert (or advanced watcher?) so that if there is less than 30 days until the tls.certificate_not_valid_after date then it triggers the alert.
I can't see any way of creating an alert based on date? Or am I going about this completely the wrong way?
One way is to use a range query search input to retrieve documents where tls.certificate_not_valid_after is less than now plus 30 days. Then a compare condition can be used to check the number of documents returned > 0 and send an alert.
This obviously brings back a huge count as it counts each document that's less than 30 days until the date. How would I take this further by using a field within heartbeat indice such as "http.url" and only return a positive count for each unique "http.url"?
To summarise what I'm trying to achieve:
Use the heartbeat indice and trigger an email with details of any "http.url"'s where the tls.certificate_not_valid_after date is less than 30 days.
Thank you.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.