I am unable to get the result set for the wazuh logs comming in in my alerting queries.
I am just tryinng to see if logs are there alert on the eventName using the Mustache query.
Alerts goes to slack channel.
this is my Monitor Extraction Query Response preview:
{
“_shards”: {
“total”: 366,
“failed”: 0,
“successful”: 366,
“skipped”: 0
},
“hits”: {
“hits”: ,
“total”: {
“value”: 10000,
“relation”: “gte”
},
“max_score”: null
},
“took”: 103,
“timed_out”: false
This is my Trigger condition:
ctx.results[0].hits.total.value > 0
In the screenshot, I have the data which I am alerting on.