What should I set "Document to index" so that the index connector write content of source log to index?

kevinlin · November 6, 2024, 10:10am

There is a log with field "winlog.logon.failure.sub_status" and content is "User logon with misspelled or bad password"

Refer to Index connector and action | Kibana Guide [8.15] | Elastic
I created a rule that using index connector and setting of "Document to index" is:

{
  "failedreason": "{{winlog.logon.failure.sub_status}}"
}

"failedreason" field exist in index that index connector link to but content is empty.

What can I do?

lesio · November 6, 2024, 11:36am

kevinlin · November 7, 2024, 3:38am

Thank you for reply.
I think the problem is not described correctly, I will describe it again

strawgate · November 8, 2024, 9:13pm

I couldn't find any good examples of this but I believe you'll need to do something like

{
    "failedreason": "{{#context.hits}}{{winlog.logon.failure.sub_status}}{{/context.hits}}"
}

Patrick_Mueller · November 13, 2024, 3:05pm

You should try {{_source.winlog.logon.failure.sub_status}}

see: {{winlog.logon.failure.sub_status}}

Topic		Replies	Views
Kibana Alerting won't create specified index Kibana elastic-stack-alerting	10	3042	October 14, 2020
Outputing Logstash logs to Elastic Index fails Elasticsearch	5	174	October 6, 2023
Problem with threshold alert and index connector Kibana elastic-stack-alerting	6	201	May 4, 2024
Issue creating index with alert SIEM	3	423	November 24, 2022
Alerts and Actions - Connectors Kibana	2	459	June 27, 2020