Watcher advanced

Elastic Stack Elasticsearch
1

Hello to all, i want to use the watcher advanced but i am struggling with the syntax.
For example i want to see if there is any traffic on a specific port from a specific host.
The syntax itself should be right, but i do not get what i want...

The interval time is 5m, but i see in the visualization the last 15 minutes is no traffic.
Does anybody know more how to configure my behaviour ?

"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"myindices-*"
],
"types": ,
"body": {
"size": 0,
"query": {
"bool": {
"should": [
{
"match_phrase": {
"beat.hostname": "myhostname"
}
},
{
"match_phrase": {
"port": "9444"
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"eq": 0
}
}
},

2

Hi, try this. Hope it helps :slight_smile: Set your interval to be whatever you want the trigger period to be. And set the window_period to be the over what period of time you want to look for it.

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "myindices-*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "should": [
                {
                  "term": {
                    "port": "9444"
                  }
                },
                {
                  "term": {
                    "beat.hostname": "myhostname"
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-{{ctx.metadata.window_period}}"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "events": {
              "top_hits": {
                "size": 100,
                "_source": [
                  "@timestamp",
                  "beat.hostname",
                  "port",
                  "_id"
                ]
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "inline": "return ctx.payload.hits.total >= 1"
    }
  },
  "metadata": {
    "window_period": "5m"
  },
  "throttle_period_in_millis": 120000
}
3

Hey,

without seeing the output of a watch execution, debugging this will be super hard, so we need the output of the execute watch api.

Also, in order to simplify debugging, I highly encourage you to take a look at this blogpost, which shows what you can do to simplify debugging of watches.

One last thing: The should query you are using actually becomes an OR query, you might want to use a filter part instead like Jason showed.

--Alex

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.