Hi All,
I’m new to Opensearch and am trying to create a per query monitor using the extraction query editor to gather details of a recently deleted bucket in the last 2 hours and by which user in AWS.
Extraction Query:
{
“query”: {
“bool”: {
“must”: [
{
“match”: {
“eventName”: {
“query”: “DeleteBucket”,
“operator”: “OR”,
“prefix_length”: 0,
“max_expansions”: 50,
“fuzzy_transpositions”: true,
“lenient”: false,
“zero_terms_query”: “NONE”,
“auto_generate_synonyms_phrase_query”: true,
“boost”: 1
}
}
},
{
“range”: {
“eventTime”: {
“from”: “now-2h”,
“to”: null,
“include_lower”: true,
“include_upper”: true,
“boost”: 1
}
}
}
],
“adjust_pure_negative”: true,
“boost”: 1
}
},
“_source”: {
“includes”: [
“userIdentity.userName”,
“requestParameters.bucketName”,
“eventTime”
],
“excludes”:
}
}
Extraction Query Response:
{
“_shards”: {
“total”: 20,
“failed”: 0,
“successful”: 20,
“skipped”: 0
},
“hits”: {
“hits”: [
{
“_index”: “dtst-cloudtrail-logs-2024.01.04”,
“_source”: {
“requestParameters”: {
“bucketName”: “tarmtestjan”
},
“eventTime”: “2024-01-04T12:02:50Z”
},
“_id”: “xD5e1IwBzuXhvOQe2Ovb”,
“_score”: 9.597851
}
],
“total”: {
“value”: 1,
“relation”: “eq”
},
“max_score”: 9.597851
},
“took”: 12,
“timed_out”: false
}
I have the following trigger condition which for the response is true:
ctx.results[0].hits.total.value > 0
I am struggling to get the notification message to list the bucket name and wanted to check where I am going wrong:
Monitor {{ctx.monitor.name}} just entered alert status.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- S3 Bucket was Deleted: {{ctx._source.requestParameters.bucketName}}
Any help or advise would be much appreciated!