我需要创建一个警报,该警报将在前1小时的“原因”:“锁定”出现超过15%时提示。每10m进行一次检查。仅应针对“ operation”:“ ENROLL”和“ operation”:“ BIND”
我有这个查询,该查询为我提供了锁定的事务,但是如果我将它与operation:BIND或ENROLL结合使用,即使应用程序正在为这些记录抛出日志,我也不会得到任何结果。
index = abc cf_app_name =“ stack-overflow”“原因”:“锁定”和“操作”:“ ENROLL”
下面是示例日志
{
"id": "c90f975cb368",
"source": {
"domain": "ABC",
"version": "1.0.0",
"environment": "stage"
},
"namespace": "a.b.c",
"resource": "CARD",
"operation": "ENROLL",
"state": "FAILED",
"tags": ["kpi"],
"createTime": 156898900,
"context": {
"correlationId": "0-6093d36"
},
"data": {
"dpaData": {
"dpaId": "1d457051052e71730e71cc5a",
"srctId": "526e1bcf-ca6ce85ee9cb",
"durbinRights": false
},
"dcfData": {},
"srciData": {
"srcId": "526e1ca6ce85ee9cb",
"name": "mcd
},
"appInstanceData": {
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36",
"abcdefghijklmnopqrstuvwxyz\"}",
"remoteIpAddress": "xx.yy.zz.aa",
"httpXForwardedFor": "xx.yy.aa.zz"
},
"authenticationData": {
"expiration": false,
"authenticationResult": {
"reason": "LOCKED"
},
"emailVerified": false,
"phoneVerified": false
},
"consumerData": {},
"error": {
"reason": "LOCKED",
"message": "Access is denied to the requested resource. The user account has been locked., card locked time: [166898828]",
"http-response-code": "400"
}
}
}
我只需要查询将给出字段错误下出现“ reason”:“ LOCKED”以及“ operation”:“ ENROLL”的事件
答案 0 :(得分:0)
@ DevOps99
我认为示例JSON事件无效。如果您的原始事件与您发布的事件相同,则还需要对其进行更新。请使用https://jsonlint.com/。
根据示例事件,有一个operation字段和2个reason字段(authenticationData.authenticationResult.reason和error.reason)。因此,不要直接使用reason来尝试使用上述字段名称。
赞:
| where operation="ENROLL" AND 'authenticationData.authenticationResult.reason'="LOCKED"
OR
| where operation="ENROLL" AND 'error.reason'="LOCKED"
检查以下示例示例。
| makeresults
| eval _raw = "{
\"id\": \"c90f975cb368\",
\"source\": {
\"domain\": \"ABC\",
\"version\": \"1.0.0\",
\"environment\": \"stage\"
},
\"namespace\": \"a.b.c\",
\"resource\": \"CARD\",
\"operation\": \"ENROLL\",
\"state\": \"FAILED\",
\"tags\": [\"kpi\"],
\"createTime\": \"156898900\",
\"context\": {
\"correlationId\": \"0-6093d36\"
},
\"data\": {
\"dpaData\": {
\"dpaId\": \"1d457051052e71730e71cc5a\",
\"srctId\": \"526e1bcf-ca6ce85ee9cb\",
\"durbinRights\": \"false\"
},
\"dcfData\": {},
\"srciData\": {
\"srcId\": \"526e1ca6ce85ee9cb\",
\"name\": \"mcd\"
},
\"appInstanceData\": {
\"userAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36\"
},
\"remoteIpAddress\": \"xx.yy.zz.aa\",
\"httpXForwardedFor\": \"xx.yy.aa.zz\"
},
\"authenticationData\": {
\"expiration\": \"false\",
\"authenticationResult\": {
\"reason\": \"LOCKED\"
},
\"emailVerified\": \"false\",
\"phoneVerified\": \"false\"
},
\"consumerData\": {},
\"error\": {
\"reason\": \"LOCKED\",
\"message\": \"Access is denied to the requested resource. The user account has been locked., card locked time: [166898828]\",
\"http-response-code\": \"400\"
}
}" | extract | table id operation "authenticationData.authenticationResult.reason" "error.reason"
| where operation="ENROLL" AND 'authenticationData.authenticationResult.reason'="LOCKED"