Team,
I have a need to monitor "code [" in the filebeat logs and it should trigger an email alert when it find the word "code ["
I have tried with below string, but it did not helped me, instead of looking for "code [" , where it see the word code its getting alerting
Can you please help me what I should use to detect only -- code [ ( there is a space after the word code)
{
"query_string": {
"query": """ (message:"code\ [")"""
}
Can you provide a couple sample documents and your mapping?
I think with Kibana alerting (>v7.8) its pretty simple to do it. Any reason you still want to use Watcher for.this?
Is there any article around this ?
Hi @mdamera
Yes there are articles and the new Kibana Alerting is really nice.
Here and most likely Here for your Use case the new DSL Query Alert.
However I think the hardest part no matter what you use will be the query / parsing that is why I asked for a few sample documents so perhaps we can help you with the query etc.
The Text analyzer will be breaking up that string into tokens which may or may or may not be easy to detect.
Example is it really
code [some message or code]
Please provide a couple sample documents and your mapping as well can you do that please.
Also please format your code / documents with the </> button above.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.