Watcher Query with filter

lchan · September 16, 2022, 7:40pm

Hi all,

I am new and testing Watcher but for some reason I am not getting any hits count from this search.

I am trying to search "Authentication failure" in the syslog index, get alerted if any hits are found in the last 1hr.

Any insight would be helpful.
Thanks!

PUT _watcher/watch/ssh_auth_failure_login
{
  "trigger": {
    "schedule": { "interval": "1h" }
  },
  "input": {
    "search": {
      "request": {
        "indices": [ "syslog*" ],
        "body": {
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "Authentication failure"
                }
              },
              "filter": {
                "range": {
                  "@timestamp:": {
                    "from": "now-1h",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "actions": {
    "notify-slack" : {
      "throttle_period" : "5m",
      "slack" : {
        "message" : {
          "to" : [ "@foo" ], 
          "text" : "{{ctx.payload.hits.total}} hits in the last 1 hr :facepalm: " 
        }
      }
    }
  }
}

richcollier · September 18, 2022, 9:28pm

First validate your search works all on it's own:

GET syslog*/_search
{
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "Authentication failure"
                }
              },
              "filter": {
                "range": {
                  "@timestamp:": {
                    "from": "now-1h",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
}

I can also imagine that you might not get any in the last 1 hour. So, in your test search (above, you can increase it to 1d, 30d, or whatever) to prove to yourself that you get at least some matches (and that nothing is wrong with your query).

lchan · September 20, 2022, 1:45pm

@richcollier thanks a lot! This helped, I figured it with the following. I believe this is the issue "match": { "syslog_message":"Authentication failure" }

GET syslog*/_search
{
"query": {
            "bool": {
              "must": [
                {
                  "match": { "syslog_message":"Authentication failure" }
                }
              ],
              "filter": [
                {
                  "range": { 
                    "@timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          }
}

system · October 18, 2022, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch Alerting Watcher count mismatch Elasticsearch elastic-stack-alerting	2	375	March 16, 2021
Elasticsearch query multiple logs Kibana elastic-stack-alerting	2	434	August 9, 2020
Watchers: querying for multiple strings in timeframe Elasticsearch elastic-stack-alerting	2	987	August 20, 2020
Watcher matching isn't working - any help? Elasticsearch elastic-stack-alerting	3	1037	July 6, 2017
Watcher, Alert all result of the payload, not only the first Elasticsearch elastic-stack-alerting	4	412	November 11, 2020

Watcher Query with filter

Related Topics