Hi there,
I am trying to implement a watcher for when a client is sending "excessive" amounts of requests.
When a client passes the threshold I would like to trigger an action foreach client which exceeds the threshold.
This is the first time for me using transform and painless and can't figure out the foreach and how to access the fields.
So my watcher:
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"body": {
"query": {
"bool": {
"must": [{
"range": {
"@timestamp": {
"gte": "now-5m"
}
}
},
{
"match_phrase": {
"tags": "haproxy"
}
}
]
}
},
"aggs": {
"byClient": {
"terms": {
"field": "client"
}
}
}
},
"indices": [
"filebeat-*"
]
}
}
},
"condition": {
"array_compare": {
"ctx.payload.aggregations.byClient.buckets": {
"path": "doc_count",
"gt": {
"value": 600
}
}
}
},
"transform": {
"script": {
"source": "List x = ctx.payload.aggregations.byClient.buckets.stream().filter(client -> client.doc_count >= params.threshold).collect(Collectors.toList()); return x;",
"lang": "painless",
"params": {
"threshold": 600
}
}
},
"actions": {
"foreach": "ctx.payload._value",
"createSnowEvent": {
"webhook": {
"scheme": "https",
"method": "POST",
"host": "ENDPOINT",
"port": 443,
"path": "/api/",
"body": "The client {{ctx.payload.key}} is sending {{ctx.payload.doc_count}} requests in the past 5 minutes",
"auth": {
"basic": {
"username": "user",
"password": "pwd"
}
},
"headers": {
"Content-Type": "application/json"
}
}
}
}
}
The current behaviour:
- The transform works, the action only has the 600+ clients.
- The action is triggered once, this is also the case when using
ctx.payload
- I can't access
key
ordoc_count
Thanks for reading