I am pretty new to Watcher, and I had a curious use-case, I want to know if a user is logging into the machine from different geo-locations. I have the users logging info already dumped into ES and can see the logs on Kibana4. I have geoip plugin enabled for that index so I get the different geo-locations from where the users are logging into the machine. I can pick a user from the user Field I have in kibana for that Type of logs and can filter logs on that user, and finally can find out the logging in geo-locations for that user on Kibana.
I wanted to figure out a way that watcher can alert whenever it sees any user successfully logged in from multiple locations in a fixed period of time. I know the basic structure of Watcher (trigger, input, condition and action), furthermore I can also search for "SUCCESSFUL LOGINS" from ES but how can i use the list of users returned from the search , to iterate through each user and see the geo-location of login and if a user has logged in from different locations produce an alert?
Is there a way in watcher where I can use the returned payload from a search, iterate through it and perform a condition check on other fields (geo-location in this case) and perform an action?