Hi all,
I have written a watcher that grabs all the host_ids that have sent logs in the past 5minutes. and sends them to a webhook.
I can see from doing a query in Kibana that there are ~20 or so in a 5minute period.
However, when the watcher sends the webhook it is only sending the top 10 ids, obviously this is capped somewhere to be the top 10.
Any ideas how to adapt my watcher so that it sends ALL the device_ids? Is it a setting inside here, or a global setting like the size on the aggregation setting?
Bear in mind that this number could reach 10000+ in the future.
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"tid.*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.window_period}}"
}
}
},
{
"exists": {
"field": "device_id"
}
}
]
}
},
"aggs": {
"device_id": {
"terms": {
"field": "device_id"
},
"aggs": {
"events": {
"top_hits": {
"size": 1,
"_source": [
"device_id"
]
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": """
def offenders = [];
for (def device_id: ctx.payload.aggregations.device_id.buckets) {
if (device_id.doc_count >= 1) {
offenders.add([
'device_id': device_id.key,
'execution_time' : ctx.trigger.triggered_time
]);
}
}
ctx.payload.offenders = offenders;
return offenders.size() > 0;""",
"lang": "painless"
}
},
"actions": { Webook here }
},
"body": "{{#toJson}}ctx.payload.offenders{{/toJson}}"
}
}
},
"metadata": {
"window_period": "5m"
},
"throttle_period_in_millis": 120000
}