Hi I will like to know if it is possible to create an alert based on a number (count ) of text in a message.
Example let say I receive 5 messages or more in one hour that contains the word “failed”.
Can create an alert that will check every hour if this conditions occurred.
Yes, this is a perfect example for using Blocks in Watches.
{
"threshold": 5
}
Example:
{
"query": {
"bool": {
"must": [
{
"match": {
"message": "error"
}
},
{
"range": {
"timestamp": {
"gte": "now-1h"
}
}
}
]
}
}
}
Selecting the relevant index (indices):
data.mysearch.hits.total.value > data.constants.threshold
see example below:
Hope this helps
Hi SirHusky, thanks for the help. I tried with but is not working. if I run the query there are not hits. probably I am doing something wrong.
The message that I need to query is inside this field panw.panos.description
is there a way to limit the search to that field only. also do I need to query the complete message or can I query for a part of it only. for example “Failed”.
Please advice, thanks
In the above you are querying “message” but that is not where the actual “failed” string is located. It should be searching in panw.panos.description.
Regarding the search, yes, that is already being searched, so any string in panw.panos.description that include “failed” will be considered a hit.
If the above is not working can you provide example of the data you get from running a basic query on that index:
GET <index_name>/_search?pretty
you can DM me the result and redact any sensitive information.
