I'm trying to create a Watcher alert to Slack, every time an IP is generating more than 10 logs per minute, of a certain type (for example, ModSecurity).
If you are trying to check if there is an ip with more than 10 hits in a minute, then checking the total hit count will not help you (that's what you checked in the condition).
You can add a min_doc_count to the aggregation, and then check if any aggregation bucket exists or if the first count is more than ten.
Also ctx.payload._source.source.ip will not exist, as the payload resembles the structure of a search response, and a search response contains a field of a document within the ctx.payload.hits.hits array.
What I'm not sure is what will happen if two different IPs are abusing at the same time, as as far as I know, the action will only notify about the first one found in the aggregation. Correct?
But in that way, it will encapsulate all the results in a single slack message. I think the "foreach" definition would work better, however I'm not able to make it working...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.