Watcher JSON

I'm working on alerting for some winlogbeat indices. This one is for event.id 4625, logon failure. Below in my json: Basically, the end result will be alerting with a single user account failed x number of times within y period of time. Using the DEV tool in Kabana and running the below code, which validates in the dev tool, I get the error below. I having trouble figuring out what its looking for.

JSON CODE:
{
"query" : {
"term": { "winlog.event_id" : 4625}
},
"condition" : {
"script": {
"source": "return ctx.payload.hits.total > params.threshold",
"lang": "painless",
"params": {
"threshold": 5}
}
}
}

RESULTING ERROR:

{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "Unknown key for a START_OBJECT in [condition].",
"line": 5,
"col": 17
}
],
"type": "parsing_exception",
"reason": "Unknown key for a START_OBJECT in [condition].",
"line": 5,
"col": 17
},
"status": 400
}

kabana_json_dev.png1918×591 43.7 KB

Welcome, @brooksly!

If you are trying to create a new watch, you will need to use the PUT _watcher/watch/<watch_id> API. In your screenshot, it looks like you are using GET _search. Please refer to the Watcher API documentation for more details on how to structure the request body.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.