I'm currently working on monitoring Windows Services and the best way to do this seems to be within Stack Management. I would have thought this would be done in the Observability area but when I looked through the available rule creation there doesn't appear to good option. The current rule within Stack Management works off the metrics data, metrics-windows.service-testing data stream, and checks for the host name, windows.service.name and windows.service.state to see if its Running or Stopped. Is there a better/different way to do this within Observability? Having this in Stack Management seems odd but Elastic often has more than one way to get things done.
Current rule:
{
"query": {
"bool": {
"filter": [
{
"term": {
"host.name": "abc123windows"
}
},
{
"term": {
"windows.service.name": "AdtAgent"
}
},
{
"term": {
"windows.service.state": "Stopped"
}
}
]
}
}
}
I'd could also use a little help with making this trigger when we get a single document that says the process has Stopped over a 5 minute period. I currently have, WHEN count() OVER all documents IS ABOVE OR EQUALS 1 FOR THE LAST 5 minutes. This seems to be correct and testing looks good but I'm not sure about the "Set the number of documents to send" SIZE 100 part even after reading the info that comes up in the question mark.
Third, is there a DevTools command that can pull up these rules? I see there are commands in the documentation but they don't seem to work in DevTools.
Ryan