There's an elastalert feature that I currently depend on, and I'm curious if there's a way to do it with Watcher. Elastalert can alert when a new value has been seen. For instance, it could alert when a new IP address shows up in netflow.src_address. Any ideas on how to do this?
Thanks,
Justin
Hey,
a possible solution to this problem is to search for all documents from now-$YOUR_INTERVAL*2 (eg 5m), so now-10m and then create a filters aggregation and specify two buckets, now-5m and from -5m till -10m. Then have a terms aggregation on the src_address and check the results for differences.
Note, that this only works up until a certain limit due to limiting the number of buckets. You may want to take a look at the composite aggregation to support pagination, but this will not work with watcher.
Hope this helps as a start.
--Alex
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.