Hi all,
I am new and testing Watcher but for some reason I am not getting any hits count from this search.
I am trying to search "Authentication failure" in the syslog index, get alerted if any hits are found in the last 1hr.
Any insight would be helpful.
Thanks!
PUT _watcher/watch/ssh_auth_failure_login
{
"trigger": {
"schedule": { "interval": "1h" }
},
"input": {
"search": {
"request": {
"indices": [ "syslog*" ],
"body": {
"query": {
"bool": {
"must": {
"match": {
"message": "Authentication failure"
}
},
"filter": {
"range": {
"@timestamp:": {
"from": "now-1h",
"to": "now"
}
}
}
}
}
}
}
}
},
"actions": {
"notify-slack" : {
"throttle_period" : "5m",
"slack" : {
"message" : {
"to" : [ "@foo" ],
"text" : "{{ctx.payload.hits.total}} hits in the last 1 hr :facepalm: "
}
}
}
}
}