- Double-check Elasticsearch, Filebat and Kibana are running:
sudo systemctl start elasticsearch && sudo systemctl start filebeat && sudo systemctl start kibana
- Navigate to http://ip-address:5601/
- Login with
elasticuser credentials - Navigate to Management -> Elasticsearch -> Watcher
- Select 'Create new watch' -> 'Advanced Watch' to create new Watch
- First is trigger, let's set interval to 30s
- Second is a query to execute, duplicate browser tab and use Dev Tools for composing query, e.g.:
{
"size": 10,
"query": {
"bool": {
"filter": {
"query_string": {
"query": "@timestamp:[now-1h TO now]"
}
}
}
}
}
- Execute the query to make sure it produces results
- Replace
input.search.request.bodyportion of the watcher configuration with the query tested in the console - Modify
indicesportion of the input to list:filebeat* - Review condition portion of the json configuration
- Type-in new watch id and name
- Simulate the new watch to review results
- And save the new watch
- Give it 30 secs to fire
- Now how do we make use of the results?
- First find what index stores the data
- Then define a new index pattern using the Management link on the left
- Use discover to explore the data
- Proceed to Visualization tab to present results
- Please share your findings and visualization selection with others
- Explore other actions available in the watcher