Adding watcher condition

alextg · March 1, 2023, 1:43pm

Hello,
I'm looking to add a new condition to my working watcher. Currently, it alerts when the index doesn't received logs in the last 10 minutes (see below). The functionality I'm trying to add is to alert when the index have received logs in the last 30 minutes, but not in the last 10 minutes. Please advise what I need to add to this working watcher. FYI, I looked into this, but it doesn't work as expected, probably cause it was build for version 7.x and I use 8.6

PUT _watcher/watch/my-watcher
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-10m",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||epoch_millis"
                  }
                }
              }
            }
          }
        },
        "indices": [
          "my_index"
        ]
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.hits.total <= params.threshold) { return true; } return false;",
      "params": {
        "threshold": 0
      }
    }
  },
  "transform": {
    "script": {
      "source": "HashMap result = new HashMap(); result.result = ctx.payload.hits.total; return result;",
      "params": {
        "threshold": 0
      }
    }
  },
  "actions": {
    "logging_1": {
      "logging": {
        "text": "Watch [{{ctx.metadata.name}}] has exceeded the threshold"
      }
    }
  }
}

richcollier · March 2, 2023, 2:47pm

Take a look at this example:

gist.github.com

https://gist.github.com/richcollier/32d291d9b960d903864113a211dbbb23

detect_missing_data.txt

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1d"
      }
    },
    "metadata": {
      "longer_time": "2d/d",

This file has been truncated. show original

alextg · March 8, 2023, 7:24pm

Not able to get your example to work, not sure if the mapping I'm using is correct, see below, please advise.

{
  "my_index": {
    "mappings": {
      "properties": {
        "simple_property": {
          "type": "keyword"
        },
        "timestamp": {
          "type": "date"
        }
      }
    }
  }
}

richcollier · March 8, 2023, 9:46pm

my example uses @timestamp and your index has timestamp
my example uses index wildcards "al*", "stir*" and your index name is my_index

so you'll need to change those differences, for sure.

alextg · March 8, 2023, 10:16pm

In my last post, I showed the mapping of the index I'm using called "my_index" by running this from the console

GET my_index/_mapping?pretty

If possible, could you show the mapping of one of your indexes?

richcollier · March 8, 2023, 11:35pm

Sure!

  "alarm-messages": {
    "mappings": {
      "_meta": {
        "created_by": "file-data-visualizer"
      },
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "AHostname": {
          "type": "keyword"
        },
        "AHostname_keyword": {
          "type": "keyword"
        },
        "ActiveMins": {
          "type": "long"
        },
        "ActiveMins_keyword": {
          "type": "long"
        },
        "AlarmKey": {
          "type": "text"
        },
        "AlarmKey_keyword": {
          "type": "text"
        },
        "AlarmType": {
          "type": "keyword"
        },
        "AlarmType_keyword": {
          "type": "keyword"
        },
        "AlertCategory": {
          "type": "keyword"
        },
        "AlertCategory_keyword": {
          "type": "keyword"
        },
        "CaseDescription": {
          "type": "keyword"
        },
        "CaseDescription_keyword": {
          "type": "keyword"
        },
        "Cause": {
          "type": "keyword"
        },
        "Cause_keyword": {
          "type": "keyword"
        },
        "Domain": {
          "type": "keyword"
        },
        "Domain_keyword": {
          "type": "keyword"
        },
        "ElementName": {
          "type": "keyword"
        },
        "ElementName_keyword": {
          "type": "keyword"
        },
        "ElementType": {
          "type": "keyword"
        },
        "ElementType_keyword": {
          "type": "keyword"
        },
        "EventStatus": {
          "type": "keyword"
        },
        "EventStatus_keyword": {
          "type": "keyword"
        },
        "FirstAlertedTS": {
          "type": "date",
          "format": "epoch_second"
        },
        "FirstAlertedTS_keyword": {
          "type": "date",
          "format": "epoch_second"
        },
        "KPIMeasure": {
          "type": "keyword"
        },
        "KPIMeasure_keyword": {
          "type": "keyword"
        },
        "LatestAlertedTS": {
          "type": "date",
          "format": "epoch_second"
        },
        "LatestAlertedTS_keyword": {
          "type": "date",
          "format": "epoch_second"
        },
        "ManagerClass": {
          "type": "keyword"
        },
        "ManagerClass_keyword": {
          "type": "keyword"
        },
        "NEID": {
          "type": "keyword"
        },
        "NEID_keyword": {
          "type": "keyword"
        },
        "Network": {
          "type": "keyword"
        },
        "Network_keyword": {
          "type": "keyword"
        },
        "ProductName": {
          "type": "keyword"
        },
        "ProductName_keyword": {
          "type": "keyword"
        },
        "SendtoNOC": {
          "type": "keyword"
        },
        "SendtoNOC_keyword": {
          "type": "keyword"
        },
        "Severity": {
          "type": "keyword"
        },
        "Severity_keyword": {
          "type": "keyword"
        },
        "SourceEventID": {
          "type": "keyword"
        },
        "SourceEventID_keyword": {
          "type": "keyword"
        },
        "SourceEventType": {
          "type": "keyword"
        },
        "SourceEventType_keyword": {
          "type": "keyword"
        },
        "SourceSystem": {
          "type": "keyword"
        },
        "SourceSystem_keyword": {
          "type": "keyword"
        },
        "SubSourceType": {
          "type": "keyword"
        },
        "SubSourceType_keyword": {
          "type": "keyword"
        },
        "ThresholdValue": {
          "type": "long"
        },
        "ThresholdValue_keyword": {
          "type": "long"
        },
        "TriggerDescription": {
          "type": "text"
        },
        "TriggerDescription_keyword": {
          "type": "text"
        },
        "TriggerUnitsofMeasure": {
          "type": "keyword"
        },
        "TriggerUnitsofMeasure_keyword": {
          "type": "keyword"
        },
        "TriggerValue": {
          "type": "long"
        },
        "deviceCLLI": {
          "type": "keyword"
        },
        "deviceCLLI_keyword": {
          "type": "keyword"
        },
        "insertTimestamp": {
          "type": "date",
          "format": "MMM d, yyyy @ HH:mm:ss.SSS"
        },
        "name": {
          "type": "keyword"
        },
        "name_keyword": {
          "type": "keyword"
        }
      }
    }
  },

alextg · March 9, 2023, 2:23pm

The timestamp was causing issues. Your example is working as expected. Thanks for the feedback!

system · April 6, 2023, 2:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.