CODEWITHSUNDEEP
elasticsearch
Juan Venter
Juan Venter

Reputation: 143

How to filter on a date range for Sentinl?

So we've started to implement Sentinl to send alerts. I have managed to get a count of errors sent if it exceeds a specified threshold.

What I'm really struggling with, is filtering for the last day!

Could someone please point me in the right direction!

Herewith the script:

{
  "actions": {
    "Email Action": {
      "throttle_period": "0h0m0s",
      "email": {
        "to": "[email protected]",
        "from": "[email protected]",
        "subject": "ELK - ERRORS caused by CreditDecisionServiceAPI.",
        "body": "{{payload.hits.total}} ERRORS caused by CreditDecisionServiceAPI. Threshold is 100."
      }
    },
    "Slack Action": {
      "throttle_period": "0h0m0s",
      "slack": {
        "channel": "#alerts",
        "message": "{{payload.hits.total}} ERRORS caused by CreditDecisionServiceAPI. Threshold is 100.",
        "stateless": false
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "index": [
          "*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "appName": "CreditDecisionServiceAPI"
                  }
                },
                {
                  "match": {
                    "level": "ERROR"
                  }
                },
                {
                  "range": {
                    "timestamp": {
                      "from": "now-1d"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "script": "payload.hits.total > 100"
    }
  },
  "transform": {},
  "trigger": {
    "schedule": {
      "later": "every 15 minutes"
    }
  },
  "disable": true,
  "report": false,
  "title": "watcher_CreditDecisionServiceAPI_Errors"
}

So to be clear, this is the part that's being ignored by the query:

{
  "range": {
    "timestamp": {
      "from": "now-1d"
    }
  }
}

Upvotes: 1

Views: 468

Answers (2)

Juan Venter
Juan Venter

Reputation: 143

So we've FINALLY solved the problem!

Elastic search has changes their DSL multiple times, so please note that you need to look at what version you're using for the correct solution. We're on Version: 6.2.3

Below query finally worked:

"query": {
    "bool": {
      "must": [
        {
          "match": {
            "appName": "CreditDecisionServiceAPI"
          }
        },
        {
          "match": {
            "level": "ERROR"
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-1d"
            }
          }
        }
      ]
    }
}

Upvotes: 0

Green
Green

Reputation: 2555

You need to change it and add the filter Json tag before the range one, like that:

"filter": [
        {
          "range": {
            "timestamp": {
              "gte": "now-1d"

            }
          }
        }
      ]

Upvotes: 2

Related Questions