DEVHIDE
Login Or Sign up

Watcher alert if no records matching filter in x minutes

2.9k Views Asked by At

I need to get ElasticSearch watcher to alert if there is no record matching a pattern inserted into the index in a time frame, it needs to be able to do this whilst grouping on another pair of field. i.e. the records will be of the pattern: Date Timestamp Level Message Client Site

It needs to check that Message matches "is running" for each Client's site(s) (i.e. Google Maps and Bing Maps have the same site of Maps). I tihnk the best(?) way to do this right now is to run a wacher per client site.

Sofar I have this, assume the task should write is running into the log every 20 minutes :

{
  "trigger" : { 
    "schedule" : {
      "interval" : "25m"
    }
  },
  "input" : { 
    "search" : {
      "request" : {
        "search_type" : "count",
        "indices" : "<logstash-{now/d}>",
        "body" : {
          "filtered" : {
            "query" : { 
              "match_phrase" : { "Message" : "Is running" } 
            },
            "filter" : {
              "match" : { "Client" : "Example" } ,
              "match" : { "Site" : "SomeSite" } 
            }

          }
        }
      }
    }
  },
  "condition" : { 
    "script" : "return ctx.payload.hits.total < 1"
  },

  "actions" : { 
    },
    "email_administrator" : {
      "email" : {
        "to" : "[email protected]",
        "subject" : "Tasks are not running for {{ctx.payload.client}} on their site {{ctx.payload.site}}",
        "body" : "Too many error in the system, see attached data",
        "attach_data" : true,
        "priority" : "high"
      }
    }
  }
}
elasticsearch elastic-stack elasticsearch-watcher
Original Q&A
2

There are 2 best solutions below

0
On

You have to change your condition,It support json format:

     "condition" : { 
         "script" : "return ctx.payload.hits.total : 1"
                   }

Please refer below link,

https://www.elastic.co/guide/en/watcher/current/condition.html
0
On

For anyone looking how to do this in the future, a few things need nesting in query as part of filter and match becomes term. Fun!...

{
  "trigger": {
    "schedule": {
      "interval": "25m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "count",
        "indices": "<logstash-{now/d}>",
        "body": {
          "query": {
            "filtered": {
              "query": {
                "match_phrase": {
                  "Message": "Its running"
                }
              },
              "filter": {
                "query": {
                  "term": {
                    "Client": "Example"
                  }
                },
                "query": {
                  "term": {
                    "Site": "SomeSite"
                  }
                },
                "query": {
                  "range": {
                    "event_timestamp": {
                      "gte": "now-25m",
                      "lte": "now"
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "lte": 1
      }
    }
  },

  "actions": {
    "email_administrator": {
      "email": {
        "to": "[email protected]",
        "subject": "Tasks are not running for {{ctx.payload.client}} on their site {{ctx.payload.site}}",
        "body": "Tasks are not running for {{ctx.payload.client}} on their site {{ctx.payload.site}}",
        "attach_data": true,
        "priority": "high"
      }
    }
  }
}

Related Questions in ELASTICSEARCH

Related Questions in ELASTIC-STACK

Related Questions in ELASTICSEARCH-WATCHER

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.