Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- {
- "trigger": {
- "schedule": {
- "interval": "10s"
- }
- },
- "input": {
- "search": {
- "request": {
- "search_type": "dfs_query_then_fetch",
- "indices": [
- "<filebeat-{now/d}>"
- ],
- "types": [],
- "body": {
- "query": {
- "bool": {
- "must": [
- {
- "query_string": {
- "query": "NOT remote_ip:**IP ADDRESS**\\/24 OR NOT remote_ip:**IP ADDRESS**\\/24 OR NOT remote_ip:**IP ADDRESS**\\/16 OR NOT remote_ip:**IP ADDRESS**\\/24 OR NOT remote_ip:**IP ADDRESS**",
- "analyze_wildcard": true
- }
- },
- {
- "range": {
- "@timestamp": {
- "gte": "now-60s"
- }
- }
- }
- ],
- "must_not": []
- }
- },
- "size": 0,
- "aggs": {
- "2": {
- "terms": {
- "field": "remote_ip",
- "order": {
- "_count": "desc"
- }
- },
- "aggs": {
- "3": {
- "sum": {
- "field": "bytes"
- }
- }
- }
- }
- }
- }
- }
- }
- },
- "condition" : {
- "compare" : {
- "ctx.payload.aggregations.2.buckets.3.3.value" : {
- "gt" : "10000"
- }
- }
- },
- "actions": {
- "send_email": {
- "email": {
- "to": "**EMAIL ADDRESS**",
- "subject": "Watcher Test Alert",
- "body": "The IP [{{#ctx.payload.aggregations.2.buckets.3}}{{key}} {{/ctx.payload.aggregations.2.buckets.3}}] spiked useage with [{{#ctx.payload.aggregations.2.buckets.3.3}}{{value}} {{/ctx.payload.aggregations.2.buckets.3.3}}]"
- }
- }
- }
- }
Add Comment
Please, Sign In to add comment