Watcher Query with filter

Hi all,

I am new and testing Watcher but for some reason I am not getting any hits count from this search.

I am trying to search "Authentication failure" in the syslog index, get alerted if any hits are found in the last 1hr.

Any insight would be helpful.
Thanks!

PUT _watcher/watch/ssh_auth_failure_login
{
  "trigger": {
    "schedule": { "interval": "1h" }
  },
  "input": {
    "search": {
      "request": {
        "indices": [ "syslog*" ],
        "body": {
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "Authentication failure"
                }
              },
              "filter": {
                "range": {
                  "@timestamp:": {
                    "from": "now-1h",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "actions": {
    "notify-slack" : {
      "throttle_period" : "5m",
      "slack" : {
        "message" : {
          "to" : [ "@foo" ], 
          "text" : "{{ctx.payload.hits.total}} hits in the last 1 hr :facepalm: " 
        }
      }
    }
  }
}

First validate your search works all on it's own:

GET syslog*/_search
{
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "Authentication failure"
                }
              },
              "filter": {
                "range": {
                  "@timestamp:": {
                    "from": "now-1h",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
}

I can also imagine that you might not get any in the last 1 hour. So, in your test search (above, you can increase it to 1d, 30d, or whatever) to prove to yourself that you get at least some matches (and that nothing is wrong with your query).

@richcollier thanks a lot! This helped, I figured it with the following. I believe this is the issue "match": { "syslog_message":"Authentication failure" }

GET syslog*/_search
{
"query": {
            "bool": {
              "must": [
                {
                  "match": { "syslog_message":"Authentication failure" }
                }
              ],
              "filter": [
                {
                  "range": { 
                    "@timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.