Skip to content

Instantly share code, notes, and snippets.

@richcollier

richcollier/ips_with_errors_before_but_not_lately.txt

Created January 2, 2023 00:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save richcollier/b21d7acaf27990775c2c033555e44260 to your computer and use it in GitHub Desktop.
Save richcollier/b21d7acaf27990775c2c033555e44260 to your computer and use it in GitHub Desktop.
Download ZIP
List of IPs that were getting errors 2 days ago, but not in the last 1 day
Raw
ips_with_errors_before_but_not_lately.txt
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "1m"
}
},
"metadata": {
"longer_time": "2d/d",
"shorter_time": "1d/d",
"response": "503"
},
"input": {
"search": {
"request": {
"indices": [
"kibana_sample_data_logs"
],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"term": {
"response.keyword": "{{ctx.metadata.response}}"
}
}
]
}
},
"aggs": {
"missing_ips": {
"terms": {
"field": "ip",
"size": 10000
},
"aggs": {
"older": {
"filter": {
"query_string": {
"default_field": "@timestamp",
"query": "@timestamp:[now-{{ctx.metadata.longer_time}} TO now]"
}
}
},
"newer": {
"filter": {
"query_string": {
"default_field": "@timestamp",
"query": "@timestamp:[now-{{ctx.metadata.shorter_time}} TO now]"
}
}
},
"expose_olders_not_in_newers": {
"bucket_selector": {
"buckets_path": {
"older": "older._count",
"newer": "newer._count"
},
"script": "params.older > 0 && params.newer == 0"
}
}
}
},
"final_count": {
"stats_bucket": {
"buckets_path": "missing_ips>_count"
}
}
}
}
}
}
},
"condition": {
"script": """
ctx.payload.aggregations.final_count.count > 0
"""
},
"actions": {
"log": {
"transform": {
"script": "return ctx.payload.aggregations.missing_ips.buckets.stream().map(p -> ['ip':p.key]).collect(Collectors.toList());"
},
"logging": {
"text": """
IPs that were getting errors 2 days ago, but not in last 1 day:
{{#ctx.payload._value}}
{{ip}}
{{/ctx.payload._value}}
"""
}
}
}
}
}
@richcollier
Copy link
Author

Example output:

          "logging": {
            "logged_text": """
          IPs that were getting errors 2 days ago, but not in last 1 day:
            65.45.138.4
            149.234.232.186
            223.27.114.76
            44.162.98.106
            44.167.75.83
            127.249.13.130
            134.157.177.139
            215.255.196.98
            230.13.157.228
            231.185.3.235
"""
          }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment