anandsunderraman/kibanaWatcherWithSlack.json

## kibanaWatcherWithSlack.json
{
  "trigger": {
    "schedule": {
      "interval": "1m" //how frequently you want the alert to run
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "your-index*"
        ],
        "types": [],
        "body": {
          "size": 10,
          "query": {
            "bool": {
              "must": [
                {
                  "match_phrase": {
                    "message": {
                      "query": "error message you would like to get alerted on"
                    }
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1m" //what is the time range
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0 //action trigger
      }
    }
  },
  "actions": {
    "send_trigger": {
      "throttle_period_in_millis": 60000,
      "transform": {
        "script": {
          "source": "def payload = ctx.payload;  payload.msg = ctx.payload.hits.hits.0._source.message.replace('\"', ''); payload.stackTrace = ctx.payload.hits.hits.0._source.stack_trace.replace('\"', ''); return payload;",
          "lang": "painless"
        }
      },
      "webhook": {
        "scheme": "https",
        "host": "hooks.slack.com",
        "port": 443,
        "method": "post",
        "path": "enter/rest/of/slackhook/url",
        "params": {},
        "headers": {
          "Content-type": "application/json"
        },
        "body": "{  \"channel\": \"slack-channel-name\",  \"username\": \"kibana\",  \"attachments\": [    {      \"color\": \"danger\",      \"title\": \"Your Alert title\",      \"text\": \" *Reason:*  ``` {{ ctx.payload.msg}} ``` \",      \"footer\": \"Footer\"    }  ]}"
      }
    }
  }
}
	{
	"trigger": {
	"schedule": {
	"interval": "1m" //how frequently you want the alert to run
	}
	},
	"input": {
	"search": {
	"request": {
	"search_type": "query_then_fetch",
	"indices": [
	"your-index*"
	],
	"types": [],
	"body": {
	"size": 10,
	"query": {
	"bool": {
	"must": [
	{
	"match_phrase": {
	"message": {
	"query": "error message you would like to get alerted on"
	}
	}
	}
	],
	"filter": [
	{
	"range": {
	"@timestamp": {
	"gte": "now-1m" //what is the time range
	}
	}
	}
	]
	}
	}
	}
	}
	}
	},
	"condition": {
	"compare": {
	"ctx.payload.hits.total": {
	"gt": 0 //action trigger
	}
	}
	},
	"actions": {
	"send_trigger": {
	"throttle_period_in_millis": 60000,
	"transform": {
	"script": {
	"source": "def payload = ctx.payload; payload.msg = ctx.payload.hits.hits.0._source.message.replace('\"', ''); payload.stackTrace = ctx.payload.hits.hits.0._source.stack_trace.replace('\"', ''); return payload;",
	"lang": "painless"
	}
	},
	"webhook": {
	"scheme": "https",
	"host": "hooks.slack.com",
	"port": 443,
	"method": "post",
	"path": "enter/rest/of/slackhook/url",
	"params": {},
	"headers": {
	"Content-type": "application/json"
	},
	"body": "{ \"channel\": \"slack-channel-name\", \"username\": \"kibana\", \"attachments\": [ { \"color\": \"danger\", \"title\": \"Your Alert title\", \"text\": \" Reason: ``` {{ ctx.payload.msg}} ``` \", \"footer\": \"Footer\" } ]}"
	}
	}
	}
	}