Ho在Sentinel中添加类似查询的Kibana

Question

我只是探索警报和报告的前哨，并希望了解如何构建类似查询和已发送警报的kibana。

在下面的示例中，我选择了三个字段syslog_hostname，syslog_timestamp和syslig_message，然后在not responding的时间段内查询了This Week

希望对此有任何帮助或小例子。

下面是我的测试观察者，它只是查找文档计数并可以正常工作。

{
  "actions": {
    "email_html_alarm_2a5a1fe0-a9ae-4b7e-ae0d-05202a0deebc": {
      "name": "email html alarm",
      "throttle_period": "1m",
      "email_html": {
        "stateless": false,
        "subject": "{{payload.hits.total}} new results from watcher {{watcher.title}}",
        "priority": "high",
        "html": "<p>Hi {{watcher.username}}</p>\n<p>There are {{payload.hits.total}} results found by the watcher <i>{{watcher.title}}</i>.</p>\n\n<div style=\"color:grey;\">\n  <hr />\n  <p>This watcher sends alerts based on the following criteria:</p>\n  <ul><li>{{watcher.wizard.chart_query_params.queryType}} of {{watcher.wizard.chart_query_params.over.type}} over the last {{watcher.wizard.chart_query_params.last.n}} {{watcher.wizard.chart_query_params.last.unit}} {{watcher.wizard.chart_query_params.threshold.direction}} {{watcher.wizard.chart_query_params.threshold.n}} in index {{watcher.wizard.chart_query_params.index}}</li></ul>\n</div>"
      }
    },
    "HTML_email_alarm_af205ce8-c1df-4334-8af3-f3c8d23be791": {
      "name": "HTML email alarm",
      "throttle_period": "1m",
      "email_html": {
        "html": "Hi,\n\nThis is Just test e-mail!",
        "priority": "low",
        "stateless": false,
        "to": "xyz@example.com",
        "from": "sentilRobo@example.com",
        "subject": "Test"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "index": [
          "syslog-2019*"
        ],
        "body": {
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-15m/m",
                    "lte": "now/m",
                    "format": "epoch_millis"
                  }
                }
              }
            }
          },
          "size": 0,
          "aggs": {
            "dateAgg": {
              "date_histogram": {
                "field": "@timestamp",
                "time_zone": "Europe/Amsterdam",
                "interval": "1m",
                "min_doc_count": 1
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "script": "payload.aggregations.dateAgg.buckets.some(b => b.doc_count>=0)"
    }
  },
  "trigger": {
    "schedule": {
      "later": "every 45 minutes"
    }
  },
  "disable": false,
  "report": false,
  "title": "count",
  "save_payload": true,
  "spy": false,
  "impersonate": false
}

基巴纳语和哨兵版本： 6.6