Hi Team,
I have integrated ES-7.17.6 with Searchguard. However, during webhook integration, I am getting the below error.
Web hook returned error: HTTP/1.1 400 Bad Request\n\n
My alert is as follows:
Match condition on metricbeat condition is WHEN average()
OF system.cpu.cores
OVER all documents
FOR THE LAST 24 hour(s)
IS ABOVE 0
Please assist.
//Ankita
@ankita1596 As you’ve reported the error comes from your remote system.
Please answer the below:
Hi,
I have fixed that error.
I am sending data from Searchguard to Netcool using webhook.
I have written a query under block to find the avg of memory with terms aggregation of hosts. Since I have 28 hosts, I am unable to write them in the body.
Can we use loops if yes then how?
Please assist
@ankita1596 You have metricbeat configured on all 28 hosts, each host sends metrics to the Elasticsearch index, am I correct?
Yes you understood correctly.
Now the concern is that the response for my sub sub aggregation is containing nested buckets and it is difficult to obtain the value out of it for generating alerts.
Can you please help?
Hi,
I have used blocks.
My query is as follows on metricbeat index:
{
“size”: 0,
“aggs”: {
“hosts”: {
“terms”: {
“field”: “agent.hostname.keyword”,
“order”: {
“freemem”: “desc”
}
},
“aggs”: {
“region”: {
“terms”: {
“field”: “cloud.region.keyword”
},
“aggs”: {
“account”: {
“terms”: {
“field”: “cloud.account.id.keyword”
},
“aggs”: {
“provider”: {
“terms”: {
“field”: “cloud.provider.keyword”
},
“aggs”: {
“service”: {
“terms”: {
“field”: “cloud.service.name.keyword”,
“size”: 10000
},
“aggs”: {
“instanceid”: {
“terms”: {
“field”: “cloud.instance.id.keyword”
}
}
}
}
}
}
}
}
}
},
“freemem”: {
“avg”: {
“field”: “system.memory.actual.free”
}
}
}
}
}
}
The response received is:
{
“watch”: {
“id”: “__inline_watch”,
“tenant”: “_main”
},
“data”: {
“constants”: {
“num_of_hosts”: 100,
“threshold”: 1.5,
“window”: “30m”,
“threshold1”: 1
},
“freemem”: {
“_shards”: {
“total”: 1,
“failed”: 0,
“successful”: 1,
“skipped”: 0
},
“hits”: {
“hits”: ,
“total”: {
“value”: 10000,
“relation”: “gte”
},
“max_score”: null
},
“took”: 2,
“timed_out”: false,
“aggregations”: {
“hosts”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 10477,
“freemem”: {
“value”: 26977587701.55102
},
“region”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 10477,
“key”: “us-east-1”,
“account”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“provider”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 10477,
“service”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 10477,
“key”: “EC2”,
“instanceid”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 10477,
“key”: “i-0bfa03fb48e15cfd1”
}
]
}
}
]
},
“key”: “aws”
}
]
},
“doc_count”: 10477,
“key”: “098974694488”
}
]
}
}
]
},
“key”: “ip-20-0-20-210.ec2.internal”
},
{
“doc_count”: 12153,
“freemem”: {
“value”: 22021230006.857143
},
“region”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 12153,
“key”: “us-east-1”,
“account”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“provider”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 12153,
“service”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 12153,
“key”: “EC2”,
“instanceid”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 12153,
“key”: “i-0105f95a462391bbc”
}
]
}
}
]
},
“key”: “aws”
}
]
},
“doc_count”: 12153,
“key”: “098974694488”
}
]
}
}
]
},
“key”: “ip-20-0-21-186.ec2.internal”
},
{
“doc_count”: 33587,
“freemem”: {
“value”: 19078894989.061226
},
“region”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 33587,
“key”: “us-east-1”,
“account”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“provider”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 33587,
“service”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 33587,
“key”: “EC2”,
“instanceid”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 33587,
“key”: “i-032f97ad820405d97”
}
]
}
}
]
},
“key”: “aws”
}
]
},
“doc_count”: 33587,
“key”: “098974694488”
}
]
}
}
]
},
“key”: “ip-20-0-20-126.ec2.internal”
},
{
“doc_count”: 12603,
“freemem”: {
“value”: 16508459676.734694
},
“region”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 12603,
“key”: “us-east-1”,
“account”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“provider”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 12603,
“service”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 12603,
“key”: “EC2”,
“instanceid”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 12603,
“key”: “i-073d2d337324b1a0d”
}
]
}
}
]
},
“key”: “aws”
}
]
},
“doc_count”: 12603,
“key”: “098974694488”
}
]
}
}
]
},
“key”: “ip-20-0-20-145.ec2.internal”
},
{
“doc_count”: 9589,
“freemem”: {
“value”: 16474325117.387754
},
“region”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 9589,
“key”: “us-east-1”,
“account”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“provider”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 9589,
“service”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 9589,
“key”: “EC2”,
“instanceid”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 9589,
“key”: “i-0965fd48f96ff95d9”
}
]
}
}
]
},
“key”: “aws”
}
]
},
“doc_count”: 9589,
“key”: “098974694488”
}
]
}
}
]
},
“key”: “ip-20-0-21-151.ec2.internal”
},
{
“doc_count”: 17738,
“freemem”: {
“value”: 16275266748.081633
},
“region”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 17738,
“key”: “us-east-1”,
“account”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“provider”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 17738,
“service”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 17738,
“key”: “EC2”,
“instanceid”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 17738,
“key”: “i-03e55e0d0a2d91389”
}
]
}
}
]
},
“key”: “aws”
}
]
},
“doc_count”: 17738,
“key”: “098974694488”
}
]
}
}
]
},
“key”: “ip-20-0-21-69.ec2.internal”
}
]
}
}
}
},
“severity”: {
“level”: “critical”,
“level_numeric”: 4,
“mapping_element”: {
“threshold”: 400,
“level”: “critical”
},
“value”: 26977587701.55102,
“threshold”: 400
},
“trigger”: {
“triggered_time”: null,
“scheduled_time”: null,
“previous_scheduled_time”: null,
“next_scheduled_time”: null
},
“execution_time”: “2022-10-17T17:02:28.273748276Z”
}
I need to send data to Netcool in the required format with memory usage in % along with hostname, region it belongs to, cloud provider and instance id.
Kindly support how can i apply severity on all the values obtained in multiple buckets.
I have the body of message as:
Kindly support how can i format the data properly.
Hello @ankita1596 - allow me to briefly interject here. If you think you need Support Services (and/or Professional Services / Consulting) please use the “Contact Us” form so that the Commercial Team can reach out to you and discuss the available options.
Hi Team,
I have a query regarding setting severity in alerts.
For e.g. if i have written a search query along with aggregations and sub-aggregations, it’s output will be captured in nested buckets form.
If i want to set the severity, i can only set it on one field. However, i have multiple buckets.
Can someone support?
//Ankita
