I went through the following topic:
I also need to aggregate the result.
I can create the message output using the following:
triggered Alert for Host: {{_source.host.name}} with Severity: {{ctx.trigger.severity}} for log level *{{_source.log.level}} event_id: {{_source.winlog.event_id}}
But how can i aggregate the alert message output by host and the number/total count of event_id using the query response?
Desired Output:
- Trigger: Test Trigger if Event_id count >= 1
- Severity: 1
- Period start: 2019-09-3T12:35:53Z
- Period end: 2019-09-3T12:36:53Z
Unhealthy Nodes:
Hostname: computer01, Event_id: 8194, Event_Count: 3
Hostname: computer02, Event_id: 8194 , Event_Count: 10
I have the following Query response
{
“_shards”: {
“total”: 25,
“failed”: 0,
“successful”: 25,
“skipped”: 0
},
“hits”: {
“hits”: [
{
“_index”: “winlogbeat-7.1.1-2019.09.03”,
“_type”: “_doc”,
“_source”: {
“agent”: {
“hostname”: “computer01”,
“id”: “c2be2732-0605-44c4-8f6e-759f4bf29eef”,
“type”: “winlogbeat”,
“ephemeral_id”: “26f85118-668f-4fdd-9bfa-90613af50842”,
“version”: “7.1.1”
},
“@timestamp”: “2019-09-03T11:03:45.558Z”,
“winlog”: {
“record_id”: 427038,
“computer_name”: “computer01.corp.test.com”,
“event_id”: 8194,
“task”: “”,
“keywords”: [
“Classic”
],
“channel”: “Application”,
“api”: “wineventlog”,
“event_data”: {
“Binary”: “2D20436F64653A20575254575254494330303030313238372D2043616C6C3230”,
“param1”: “0x80070005, Access is denied.”,
“param2”: “\n\nOperation:\n Gathering Writer Data\n\nContext:\n Writer Class Id: {e8132975}\n Writer Name: System Writer\n Writer Instance ID: {c9162cad-961f}”
},
“opcode”: “Info”,
“provider_name”: “VSS”
},
“ecs”: {
“version”: “1.0.0”
},
“log”: {
“level”: “error”
},
“host”: {
“hostname”: “computer01”,
“os”: {
“build”: “17134.885”,
“kernel”: “10.0.17134.885 (WinBuild.160101.0800)”,
“name”: “Windows 10 Enterprise”,
“family”: “windows”,
“version”: “10.0”,
“platform”: “windows”
},
“name”: “computer01”,
“id”: “81ad8be0-e195-4449-a1ff-94aac008d060”,
“architecture”: “x86_64”
},
“event”: {
“code”: 8194,
“created”: “2019-09-03T11:03:45.616Z”,
“kind”: “event”
},
“message”: “Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback }”
},
“_id”: “L-rL9mwBaGHd-dxVe1hT”,
“sort”: [
1567508625558
],
“_score”: null
},
Currently following is the output