Hi,
I see a couple questions from last year about the capability to automatically acknowledge a watch within the definition of a watch itself (including links to those questions below, for reference). Are there any updates on that as a feature?
And/or, would it be possible to do it as a webhook action?
Thanks,
Casie
Hi Cassie,
Can you share a bit about your use-case and how you would use an auto-acknowledge feature vs. the existing throttling capabilities?
Thanks,
Steve
We ingest incident data into a single incidents index. If a document with a priority 1 incident is created in the index, the document will keep it's priority 1 status and its "Open" status for an indefinite amount of time. We want to query this index for any P1/open incidents but only ever alert one time. Currently I have it set to query the index for any P1/open incidents created in the last twenty minutes, and I have a 30 minute throttle period defined, and that will work ok except for if there is a delay in ingesting data. For example: a P1 incident is created at 10 AM today, but something in our ingestion pipeline fails, we don't ingest any data between 10-11AM, we get the data in there at 11:00. . .the watch looks for anything from within the last 20 minutes, and doesn't find any.
Does that help?
A couple other things I'm thinking might work:
Can a watch modify data in the index itself? So, if we added a field for "alerted", could the watch populate that field?
We're currently indexing the payload of the watch query into a watch_p1 index. I'm going to see if I can define the watch query to look for an open, P1 incident for which there is no document in the watch_p1 index (since that would only get created by a watch execution that would have already alerted).
Let me know if you have any other thoughts and/or what plans are re: auto acknowledgement for watches.
Thanks!
Casie
This is definitely something you should also ask your Elastic support engineer 
Yeah, I was thinking of doing that, but since I saw other people asking for this feature here in the community. . .
But, yes, Mike, here I come. Mike is awesome all the time, so that helps.
Casie
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.