Hello.
Is there a way to copy the entire document from a index to another as an watcher action?
Here is what I want to achieve:
I have several watchers configured which currently are sending alerts to email, but I would like to have the same documents(for which watcher was triggered) into a separate index so I can build a visualization based on all watchers alerts.
Please note that the watcher index action doesn't fit my needs because it index the payload of the search query, instead I want to have all fields indexed as in the original index.
Or may be there is another way to do this?
Thank you!
I am not sure I understand the full requirement. If you want to index the same documents that a search returned, you need to pick the _source of each document index that using the index action - which supports multiple documents. One requirement of this is to convert this to the data you want to index using a transform before calling the index action.
This data is also already written in the .watcher-history indices. Maybe you can reuse those for you visualization without requiring to index that data a second time.
Thanks for your reply Alexander,
I want to use watches results to be reviewed by a person, so I need only events generated by watchers.
Something like a SIEM, it would be great if It was possible to watchers results as a Input in ELK Siem, but I don't know if this is possible.
So I'm thinking of having watchers results as a separate index, where each event will be reviewed by a security person and in case of an incident will handle it with relevant team.
Hope these details will make the task clear.
I'm relatively new to elasticsearch, so there is a lot of what I need to learn.
Could you please bring me an example of " you need to pick the _source of each document index that using the index action - which supports multiple documents. One requirement of this is to convert this to the data you want to index using a transform before calling the index action."
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.