Create and save query in Nagios Log Server

[sgiworks]

something like this?

{"aggs" : { "products" : { "terms" : { "field" : "TargetUserName", Count" : 10 }}}}

[cdienger]

Alerting on this currently isn't possible but it is a feature request - id # 9938

[sgiworks]

Checkout this:

{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1504735059807,"to":1504821459807}}},{"fquery":{"query":{"query_string":{"query":"EventID:(\"4625\" \"4771\" \"4776\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"_type:(\"eventlog\")"}},"_cache":true}}],"must_not":[{"fquery":{"query":{"query_string":{"query":"message:(S-1-0-0)"}},"_cache":true}},{"fquery": { "query": { "query_string": { "query": "TargetUserName:(count >10)" } }, "_cache": true}},{"fquery":{"query":{"query_string":{"query":"SComInstaller,Guest, IWKSEA%, IWKSSA%, SRV_PE_URL_MON"}},"_cache":true}}]}}}}}

[dwhitfield]

Are you getting an error when you run that? If so, can you put the error in a code block?