Adding watcher condition

Elastic Stack Elasticsearch
1

Hello,
I'm looking to add a new condition to my working watcher. Currently, it alerts when the index doesn't received logs in the last 10 minutes (see below). The functionality I'm trying to add is to alert when the index have received logs in the last 30 minutes, but not in the last 10 minutes. Please advise what I need to add to this working watcher. FYI, I looked into this, but it doesn't work as expected, probably cause it was build for version 7.x and I use 8.6

PUT _watcher/watch/my-watcher
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-10m",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||epoch_millis"
                  }
                }
              }
            }
          }
        },
        "indices": [
          "my_index"
        ]
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.hits.total <= params.threshold) { return true; } return false;",
      "params": {
        "threshold": 0
      }
    }
  },
  "transform": {
    "script": {
      "source": "HashMap result = new HashMap(); result.result = ctx.payload.hits.total; return result;",
      "params": {
        "threshold": 0
      }
    }
  },
  "actions": {
    "logging_1": {
      "logging": {
        "text": "Watch [{{ctx.metadata.name}}] has exceeded the threshold"
      }
    }
  }
}
2

Take a look at this example:

3

Not able to get your example to work, not sure if the mapping I'm using is correct, see below, please advise.

{
  "my_index": {
    "mappings": {
      "properties": {
        "simple_property": {
          "type": "keyword"
        },
        "timestamp": {
          "type": "date"
        }
      }
    }
  }
}
4
  1. my example uses @timestamp and your index has timestamp
  2. my example uses index wildcards "al*", "stir*" and your index name is my_index

so you'll need to change those differences, for sure.

5

In my last post, I showed the mapping of the index I'm using called "my_index" by running this from the console

GET my_index/_mapping?pretty

If possible, could you show the mapping of one of your indexes?

6

Sure!

  "alarm-messages": {
    "mappings": {
      "_meta": {
        "created_by": "file-data-visualizer"
      },
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "AHostname": {
          "type": "keyword"
        },
        "AHostname_keyword": {
          "type": "keyword"
        },
        "ActiveMins": {
          "type": "long"
        },
        "ActiveMins_keyword": {
          "type": "long"
        },
        "AlarmKey": {
          "type": "text"
        },
        "AlarmKey_keyword": {
          "type": "text"
        },
        "AlarmType": {
          "type": "keyword"
        },
        "AlarmType_keyword": {
          "type": "keyword"
        },
        "AlertCategory": {
          "type": "keyword"
        },
        "AlertCategory_keyword": {
          "type": "keyword"
        },
        "CaseDescription": {
          "type": "keyword"
        },
        "CaseDescription_keyword": {
          "type": "keyword"
        },
        "Cause": {
          "type": "keyword"
        },
        "Cause_keyword": {
          "type": "keyword"
        },
        "Domain": {
          "type": "keyword"
        },
        "Domain_keyword": {
          "type": "keyword"
        },
        "ElementName": {
          "type": "keyword"
        },
        "ElementName_keyword": {
          "type": "keyword"
        },
        "ElementType": {
          "type": "keyword"
        },
        "ElementType_keyword": {
          "type": "keyword"
        },
        "EventStatus": {
          "type": "keyword"
        },
        "EventStatus_keyword": {
          "type": "keyword"
        },
        "FirstAlertedTS": {
          "type": "date",
          "format": "epoch_second"
        },
        "FirstAlertedTS_keyword": {
          "type": "date",
          "format": "epoch_second"
        },
        "KPIMeasure": {
          "type": "keyword"
        },
        "KPIMeasure_keyword": {
          "type": "keyword"
        },
        "LatestAlertedTS": {
          "type": "date",
          "format": "epoch_second"
        },
        "LatestAlertedTS_keyword": {
          "type": "date",
          "format": "epoch_second"
        },
        "ManagerClass": {
          "type": "keyword"
        },
        "ManagerClass_keyword": {
          "type": "keyword"
        },
        "NEID": {
          "type": "keyword"
        },
        "NEID_keyword": {
          "type": "keyword"
        },
        "Network": {
          "type": "keyword"
        },
        "Network_keyword": {
          "type": "keyword"
        },
        "ProductName": {
          "type": "keyword"
        },
        "ProductName_keyword": {
          "type": "keyword"
        },
        "SendtoNOC": {
          "type": "keyword"
        },
        "SendtoNOC_keyword": {
          "type": "keyword"
        },
        "Severity": {
          "type": "keyword"
        },
        "Severity_keyword": {
          "type": "keyword"
        },
        "SourceEventID": {
          "type": "keyword"
        },
        "SourceEventID_keyword": {
          "type": "keyword"
        },
        "SourceEventType": {
          "type": "keyword"
        },
        "SourceEventType_keyword": {
          "type": "keyword"
        },
        "SourceSystem": {
          "type": "keyword"
        },
        "SourceSystem_keyword": {
          "type": "keyword"
        },
        "SubSourceType": {
          "type": "keyword"
        },
        "SubSourceType_keyword": {
          "type": "keyword"
        },
        "ThresholdValue": {
          "type": "long"
        },
        "ThresholdValue_keyword": {
          "type": "long"
        },
        "TriggerDescription": {
          "type": "text"
        },
        "TriggerDescription_keyword": {
          "type": "text"
        },
        "TriggerUnitsofMeasure": {
          "type": "keyword"
        },
        "TriggerUnitsofMeasure_keyword": {
          "type": "keyword"
        },
        "TriggerValue": {
          "type": "long"
        },
        "deviceCLLI": {
          "type": "keyword"
        },
        "deviceCLLI_keyword": {
          "type": "keyword"
        },
        "insertTimestamp": {
          "type": "date",
          "format": "MMM d, yyyy @ HH:mm:ss.SSS"
        },
        "name": {
          "type": "keyword"
        },
        "name_keyword": {
          "type": "keyword"
        }
      }
    }
  },
7

The timestamp was causing issues. Your example is working as expected. Thanks for the feedback!

1 Like
8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.