Greetings
I'm looking at logs coming from the application layer of a server. The records look like this:
{
"_index": "applog-test-001",
"_type": "_doc",
...
"level": "LOG",
"message": "Database connected...",
"host": {
"hostname": "applog_host",
"os": {
"kernel": "2.6.32-754.24.3.el6.x86_64",
"codename": "Santiago",
"name": "Red",
"family": "redhat",
"version": "6.10 (Santiago)",
"platform": "redhat"
...
},
"fields": {
"@timestamp": [
"2020-02-28T21:31:02.583Z"
(etc)
What I am interested in is that field that says 'level.' Basically if the level is set to 'LOG,' I want to alert.
I created a watcher with the API with this syntax:
PUT _watcher/watch/watcher_log_level
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": [
"applog-test-*"
],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-48h"
}
}
},
{
"exists": {
"field": "level"
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"level": {
"eq": "LOG"
}
}
},
"actions": {
"logging_1": {
"logging": {
"text": "Watcher_Log_Level [{{ctx.metadata.name}}] is LOG"
}
},
"index_1": {
"index": {
"index": "log_level_watcher"
}
}
}
}
It runs okay. But under "met" is says "false." This should return true because I know I have lots of "level == LOG" type documents in that index.
If I set the condition part like this, "met" says "true."
"condition": {
"compare": {
"level": {
"not_eq": ""
}
}
What am I doing wrong? This should be simple to fix but I don't know what's wrong.
Thank you!