Watcher Query with filter

lchan · September 16, 2022, 7:40pm

Hi all,

I am new and testing Watcher but for some reason I am not getting any hits count from this search.

I am trying to search "Authentication failure" in the syslog index, get alerted if any hits are found in the last 1hr.

Any insight would be helpful.
Thanks!

PUT _watcher/watch/ssh_auth_failure_login
{
  "trigger": {
    "schedule": { "interval": "1h" }
  },
  "input": {
    "search": {
      "request": {
        "indices": [ "syslog*" ],
        "body": {
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "Authentication failure"
                }
              },
              "filter": {
                "range": {
                  "@timestamp:": {
                    "from": "now-1h",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "actions": {
    "notify-slack" : {
      "throttle_period" : "5m",
      "slack" : {
        "message" : {
          "to" : [ "@foo" ], 
          "text" : "{{ctx.payload.hits.total}} hits in the last 1 hr :facepalm: " 
        }
      }
    }
  }
}

richcollier · September 18, 2022, 9:28pm

First validate your search works all on it's own:

GET syslog*/_search
{
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "Authentication failure"
                }
              },
              "filter": {
                "range": {
                  "@timestamp:": {
                    "from": "now-1h",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
}

I can also imagine that you might not get any in the last 1 hour. So, in your test search (above, you can increase it to 1d, 30d, or whatever) to prove to yourself that you get at least some matches (and that nothing is wrong with your query).

lchan · September 20, 2022, 1:45pm

@richcollier thanks a lot! This helped, I figured it with the following. I believe this is the issue "match": { "syslog_message":"Authentication failure" }

GET syslog*/_search
{
"query": {
            "bool": {
              "must": [
                {
                  "match": { "syslog_message":"Authentication failure" }
                }
              ],
              "filter": [
                {
                  "range": { 
                    "@timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          }
}

system · October 18, 2022, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher query returns nothing, works on manual search? Elasticsearch elastic-stack-alerting	2	782	November 16, 2017
Elasticsearch Alerting Watcher count mismatch Elasticsearch elastic-stack-alerting	2	375	March 16, 2021
Watcher search for feild value in last 1mins Elasticsearch elastic-stack-alerting	2	1039	July 6, 2017
Elasticsearch query multiple logs Kibana elastic-stack-alerting	2	434	August 9, 2020
Watcher false alerts (query wrong? ) Elasticsearch elastic-stack-alerting	5	1302	September 5, 2017

Watcher Query with filter

Related topics