@monitors4fun This is my working example with aggregation and buckets.
{
"name": "test1",
"type": "monitor",
"monitor_type": "query_level_monitor",
"enabled": true,
"schedule": {
"period": {
"unit": "MINUTES",
"interval": 1
}
},
"inputs": [
{
"search": {
"indices": [
"security-auditlog*"
],
"query": {
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"audit_category": {
"query": "FAILED_LOGIN",
"operator": "OR",
"prefix_length": 0,
"max_expansions": 50,
"fuzzy_transpositions": true,
"lenient": false,
"zero_terms_query": "NONE",
"auto_generate_synonyms_phrase_query": true,
"boost": 1
}
}
},
{
"range": {
"@timestamp": {
"from": "now-50m",
"to": null,
"include_lower": true,
"include_upper": true,
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"failed_logins": {
"terms": {
"field": "audit_request_effective_user.keyword",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
}
}
}
}
}
}
],
"triggers": [
{
"query_level_trigger": {
"id": "cGtbr40B80JLapXujh-P",
"name": "trigger1",
"severity": "1",
"condition": {
"script": {
"source": "ctx.results[0].hits.total.value > 0",
"lang": "painless"
}
},
"actions": [
{
"id": "notification246725",
"name": "send_slack",
"destination_id": "N2sqr40B80JLapXuIx8j",
"message_template": {
"source": "Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n - Trigger: {{ctx.trigger.name}}\n - Severity: {{ctx.trigger.severity}}\n - Period start: {{ctx.periodStart}}\n - Period end: {{ctx.periodEnd}} \nFailed {{ctx.results.0.hits.total.value}} login attempts.\n{{#ctx.results.0.aggregations.failed_logins.buckets}} - user {{key}} had {{doc_count}} failed attempts <br>{{/ctx.results.0.aggregations.failed_logins.buckets}}",
"lang": "mustache"
},
"throttle_enabled": false,
"subject_template": {
"source": "Alerting Notification action",
"lang": "mustache"
}
}
]
}
}
],
"ui_metadata": {
"schedule": {
"timezone": null,
"frequency": "interval",
"period": {
"unit": "MINUTES",
"interval": 1
},
"daily": 0,
"weekly": {
"tue": false,
"wed": false,
"thur": false,
"sat": false,
"fri": false,
"mon": false,
"sun": false
},
"monthly": {
"type": "day",
"day": 1
},
"cronExpression": "0 */1 * * *"
},
"monitor_type": "query_level_monitor",
"search": {
"searchType": "query",
"timeField": "@timestamp",
"aggregations": [],
"cleanedGroupBy": [],
"bucketValue": 1,
"bucketUnitOfTime": "h",
"filters": []
}
}
}