Watcher working once, but not more

Hello everyone!
I set up a watcher to alert on me Slack if any failed login attempt was made on any of my servers every 20 seconds for the past 20 seconds, as follows

{
"trigger": {
"schedule": {
"interval": "20s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"auditbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-20s",
"lte": "now"
}
}
}
],
"must": {
"match": [
{
"message": "Failed login by"
}
]
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"notify-slack": {
"slack": {
"message": {
"text": "!!intruder alert!! {{#toJson}}ctx.payload{{/toJson}} "
}
}
}
}
}

The alert would trigger perfectly on the first failed attempt, but would become extremely unreliable afterwards, to the point of not triggering anymore.
Could anyone please help me out with the above?

Also, ctx.payload will dump all of the query up my face, and i couldn't find anywhere any document saying to extract certain field of it.

i.e:
What I am getting:

!!intruder alert!! {"_shards":{"total":1,"failed":0,"successful":1,"skipped":0},"hits":{"hits":[{"_index":"auditbeat-7.4.0-2019.10.31-000001","_type":"_doc","_source":{"process":{"pid":6725},"agent":{"hostname":"","name":"","id":"","type":"auditbeat","ephemeral_id":"","version":"7.4.0"},"@timestamp":"2019-11-03T14:10:18.000Z","ecs":{"version":"1.1.0"},"service":{"type":"system"},"host":{"hostname":"","os":{"kernel":"4.18.0-80.7.1.el8_0.x86_64","codename":"Core","name":"CentOS Linux","family":"redhat","version":"8 (Core)","platform":"centos"},"containerized":false,"name":"","id":"d9d5dba3f82c42d1b9a983b4dd1ae701","architecture":"x86_64"},"source":{"ip":"*******"},"event":{"kind":"event","origin":"/var/log/btmp","module":"system","action":"user_login","category":"authentication","type":"authentication_failure","dataset":"login","outcome":"failure"},"message":"Failed login by user root (UID: 0) on ssh:notty (PID: 6725) from ******* (IP: *******)","user":{"name":"root","id":0,"terminal":"ssh:notty"}},"_id":"8UuZMW4BOf42KXSOjKgf","_score":21.54823}],"total":1,"max_score":21.54823},"took":2,"timed_out":false}

What I want to get :

!!intruder alert!! {{:message:}} on {{:hostname:}}

Hi,
you can follow this thread on how to customize the results: How to create a watch that email specific field from input index?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.