Watcher Alert with multi match

vaibhav.ubale · January 24, 2023, 12:43pm

Hi Team ,

I am New to community, I want to set up the watcher alert on the logs with messages like following
"message: The user has selected account 84900-1 has no limit left"
Where 84900 is account type and 1 is sub type.
Can we set up the alert based on the multi match
Following is something i am trying to create but is not working.

"must": {
                "query_string": {
                  "analyze_wildcard": true,
                  "default_field": "*",
                  "query": "message: \*"The user has selected account 84900-* has no limit left*\""
                }

Can some one help?

Ayush_Mathur · January 25, 2023, 7:44am

Hi @vaibhav.ubale , welcome to the community !
There are few options or ways to define the search query to get intended result. Since you just want to search for a substring in your message field in the same order, may be try match_phrase_prefix query with 84900- in message field.

Please refer to Elastic documentation: Match phrase prefix query | Elasticsearch Guide [8.6] | Elastic

vaibhav.ubale · February 1, 2023, 10:03am

Hi Ayush ,

Thanks for your suggestion.
It worked well . I appreciate your help and suggestion here.

system · March 1, 2023, 10:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher matching isn't working - any help? Elasticsearch elastic-stack-alerting	3	1037	July 6, 2017
Watchers: querying for multiple strings in timeframe Elasticsearch elastic-stack-alerting	2	987	August 20, 2020
Elasticsearch Alerting Watcher count mismatch Elasticsearch elastic-stack-alerting	2	375	March 16, 2021
Setup Elastic Watcher Alert to match two message strings in a log Elasticsearch elastic-stack-alerting	4	499	April 3, 2023
After match, get next lines in a watcher alert Elasticsearch elastic-stack-alerting	1	272	May 27, 2022

Watcher Alert with multi match

Related topics