Watcher Query with filter

lchan · September 16, 2022, 7:40pm

Hi all,

I am new and testing Watcher but for some reason I am not getting any hits count from this search.

I am trying to search "Authentication failure" in the syslog index, get alerted if any hits are found in the last 1hr.

Any insight would be helpful.
Thanks!

PUT _watcher/watch/ssh_auth_failure_login
{
  "trigger": {
    "schedule": { "interval": "1h" }
  },
  "input": {
    "search": {
      "request": {
        "indices": [ "syslog*" ],
        "body": {
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "Authentication failure"
                }
              },
              "filter": {
                "range": {
                  "@timestamp:": {
                    "from": "now-1h",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "actions": {
    "notify-slack" : {
      "throttle_period" : "5m",
      "slack" : {
        "message" : {
          "to" : [ "@foo" ], 
          "text" : "{{ctx.payload.hits.total}} hits in the last 1 hr :facepalm: " 
        }
      }
    }
  }
}

richcollier · September 18, 2022, 9:28pm

First validate your search works all on it's own:

GET syslog*/_search
{
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "Authentication failure"
                }
              },
              "filter": {
                "range": {
                  "@timestamp:": {
                    "from": "now-1h",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
}

I can also imagine that you might not get any in the last 1 hour. So, in your test search (above, you can increase it to 1d, 30d, or whatever) to prove to yourself that you get at least some matches (and that nothing is wrong with your query).

lchan · September 20, 2022, 1:45pm

@richcollier thanks a lot! This helped, I figured it with the following. I believe this is the issue "match": { "syslog_message":"Authentication failure" }

GET syslog*/_search
{
"query": {
            "bool": {
              "must": [
                {
                  "match": { "syslog_message":"Authentication failure" }
                }
              ],
              "filter": [
                {
                  "range": { 
                    "@timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          }
}

system · October 18, 2022, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.