Watcher Exercise

• Double-check Elasticsearch, Filebat and Kibana are running:

  sudo systemctl start elasticsearch && sudo systemctl start filebeat && sudo systemctl start kibana

• Navigate to http://ip-address:5601/

• Login with elastic user credentials

• Navigate to Management -> Elasticsearch -> Watcher

• Select 'Create new watch' -> 'Advanced Watch' to create new Watch

• First is trigger, let's set interval to 30s

• Second is a query to execute, duplicate browser tab and use Dev Tools for composing query, e.g.:

  {
  "size": 10,
  "query": {
    "bool": {
      "filter": {
        "query_string": {
          "query": "@timestamp:[now-1h TO now]"
        }
      }
    }
  }
  }

• Execute the query to make sure it produces results

• Replace input.search.request.body portion of the watcher configuration with the query tested in the console

• Modify indices portion of the input to list: filebeat*

• Review condition portion of the json configuration

• Type-in new watch id and name

• Simulate the new watch to review results

• And save the new watch

• Give it 30 secs to fire

• Now how do we make use of the results?

• First find what index stores the data

• Then define a new index pattern using the Management link on the left

• Use discover to explore the data

• Proceed to Visualization tab to present results

• Please share your findings and visualization selection with others

• Explore other actions available in the watcher