Hi
I want to trigger an email alert based on this condition :
that if in the log this --- "," RequestPath":"/documentService/v1/Document/uploadLink -----
doesnt appear in the logs for next 12 hours so should send an email alert.
Can anyone please assist, as i am new to JSON so would be great that if someone can guide me what exactly to write as well.
Cheers
So, the first thing in order to get a watch up and running is come up with a query that will answer your question - even before you start writing a watch.
Once you got that, you wrap that watch into a search input and then come up with the watch condition and an logger action - once that works, create an email action.
it's important to go step by step.
Have you managed to write a decent query already? If not, please explain in more detail what the issue is, as otherwise it will be hard to help.
i tried this as per following : (fields.RequestPath = /documentService/v1/Document/uploadLink ) in Kibana logs for more than 12 hours?
means if we didnt receive the request path (/documentService/v1/Document/uploadLink) or the "uploadlink" word in our logs in next 12 hours so then fire an alert.
i tried this but dont think is the right one, can you please have a look...
{
"trigger": {
"schedule": {
"interval": "12h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logs"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"RequestPath": "/documentService/v1/Document/uploadLink"
}
},
{
"range": {
"_timestamp": {
"gte": "now-12h",
"lte": "now"
}
}
}
]
}
}
}
}
}
},
"condition": {
"always": {}
},
"actions": {
"email_users": {
"email": {
"profile": "standard",
"to": [
"'bravo alpha abc@abc.com'"
],
"subject": " executed",
"body": {
"html": " test123"
}
}
}
}
}
thnx
why do you think this query is not the right one? Is it returning the results that you expect or not? If not, what is wrong with this query?
Hi,
The problem with this query is it fire an alert for example if the upload link "word" is either present or not in the logs, it will just fire.
The condition I am trying to apply is for example in the query of next 12 hours if the "word" upload link doesn't appear in the logs it should fire an event but in my script either the upload link is presnet or not present in the logs it will still fire an alert.
So my goal is to find a condition that if this word doesn't appear in the logs for x number of hours in the logs just shoot an alert.
Does it make sense?
Thanks
try the must_not part of a bool query.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.