Watch - Unique count

Elastic Stack Elasticsearch
1

Hi All,

Could any one help me to get this watch done.

I was trying to execute a watch for the condition,when a unique count of event_data.TargetUserName has more than 4 entries in 24 hours


{

"trigger": {

 "schedule": {

  "interval": "24h"

 }

},

"input": {

 "search": {

  "request": {

   "indices": [

    "winlogbeat-*"

   ],

   "body": {

    "size": 0,

    "query": {

     "bool": {

      "filter": [

       {

        "range": {

         "@timestamp": {

          "gte": "now-24h"

         }

        }

       },

   "aggs" : {

   "type_count" : {

     "cardinality" : {

       "field" : "event_data.TargetUserName"

     }

   }

 },

"condition": {

 "compare": {

  "ctx.payload.hits.total": {

   "gt": 4

  }

 }

},

"actions": {

 "send_email": {

  "email": {

   "profile": "standard",

   "to": [

    "my email"

   ],

   "subject": "Unique count exceeded

   "body": {

    "text": "Unique count exceeded"

   }

  }

 }

},

"throttle_period_in_millis": 900000

}

but it says invalid json

Thanks,
Raj

2

while scanning your post i noticed the line:

"subject": "Unique count exceeded

youre missing a quote and a comma at the end of this line

1 Like
3

Thank you for the reply, but I couldn't execute this , should i use cardinality for unique count and please help me to get watch execute

{
"error": {
"root_cause": [
{
"type": "parse_exception",
"reason": "could not parse watch execution request. unexpected object field [trigger]"
}
],
"type": "parse_exception",
"reason": "could not parse watch execution request. unexpected object field [trigger]"
},
"status": 400
}

4

please take your time to read the docs about the execute watch API, as it states that you need to wrap your watch into a watch field in the execute watch api, as this API takes more parameters.

1 Like
5

Thank you so much for the info, could please help me to get this condition alone. Condition is to execute a watch ,when a unique count of event_data.TargetUserName has more than 4 entries in 24 hours, i dont know if i should use cardinality or what function.

6

please take your time to properly debug the search first. You will see that the hitcount is not what you are after, but the distiinct count somewhere deep in the aggs field.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.