Hi Folks,
I have some log entries at my ‘index’.
I am able to search required ones by entering the
"Async.VM.migrate_send" and "VM_check_state" and "triggering cleanup actions"
to the search field at Kibana.
It works well returning records like this:
[ info 25 <mark>Async.VM.migrate_send</mark> R:35c843173440 xenops_server] Caught Xenops_interface.Xenopsd_error([S(Does_not_exist);[S(VM);S(8039dc68-1b41-7b6d-41d6-14604a31742a/config)]]) executing ["<mark>VM_check_state</mark>","8039dc68-1b41-7b6d-41d6-14604a31742a"]: <mark>triggering</mark> <mark>cleanup</mark> <mark>actions</mark>
My question is what is the proper way to convert this search to the search query for the Alerting Monitor?
My current query is like this:
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-60m",
"to": "{{period_end}}"
}
}
},
{
"match_phrase": {
"message": {
"query": "Async.VM.migrate_send"
}
}
}
]
}
}
}
However, I have no success trying to replace “match_phrase” with “regex” or “wildcard” using “Async.VM.migrate_send * VM_check_state * triggering cleanup actions” or similar input.
I managed to construct a query like this:
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-10m",
"to": "{{period_end}}"
}
}
},
{
"match_phrase": {
"message": {
"query": "Async.VM.migrate_send"
}
}
},
{
"match_phrase": {
"message": {
"query": "VM_check_state"
}
}
},
{
"match_phrase": {
"message": {
"query": "triggering cleanup actions"
}
}
}
]
}
}
}
Thank you all guys for spending time reading this topic.
This drives me crazy, however:
Failed to update the monitor
[alerting_exception] [z9dlyHoBmcdqlGU9L82L]: version conflict, required seqNo [240], primary term [195]. current document has seqNo [287] and primary term [195]