Watcher Exercise

  • Double-check Elasticsearch, Filebat and Kibana are running:
    sudo systemctl start elasticsearch && sudo systemctl start filebeat && sudo systemctl start kibana
    
  • Navigate to http://ip-address:5601/
  • Login with elastic user credentials
  • Navigate to Management -> Elasticsearch -> Watcher
  • Select 'Create new watch' -> 'Advanced Watch' to create new Watch
  • First is trigger, let's set interval to 30s
  • Second is a query to execute, duplicate browser tab and use Dev Tools for composing query, e.g.:
    {
    "size": 10,
    "query": {
      "bool": {
        "filter": {
          "query_string": {
            "query": "@timestamp:[now-1h TO now]"
          }
        }
      }
    }
    }
    
  • Execute the query to make sure it produces results
  • Replace input.search.request.body portion of the watcher configuration with the query tested in the console
  • Modify indices portion of the input to list: filebeat*
  • Review condition portion of the json configuration
  • Type-in new watch id and name
  • Simulate the new watch to review results
  • And save the new watch
  • Give it 30 secs to fire
  • Now how do we make use of the results?
  • First find what index stores the data
  • Then define a new index pattern using the Management link on the left
  • Use discover to explore the data
  • Proceed to Visualization tab to present results
  • Please share your findings and visualization selection with others
  • Explore other actions available in the watcher

results matching ""

    No results matching ""