Advancing alert using watcher

HI Team,
I'm very new watcher part and i want to create one alert, please help me on this alert.

My scenario:
i want to compare one field which i stored on the index for certain time period.

for example: In the 1m of time interval if i got that value more than 5 i want to trigger the alert. and i want bring that event word in subject,
please find my below code,

  {
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "index"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "match": {
              "headers.httpStatusCode": "200"
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 5
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "xxxx@xx.com"
        ],
        "subject": "cardinality Alert",
        "body": {
          "text": "Respective value has been occured more than 5 time in a min"
        }
      }
    }
  }
}

hey,

can you explain what you mean with event word in subject. What exactly do you refer to? Are you talking about the hits of a search response?

--Alex

event mean field which i'm comparing and i want to show that word in body of the message.

Alert trigger should happen only when the condition is matched

sorry, but this is impossible to follow if you dont take some more time to explain the use-case, showing sample documents, showing the query you want to match so that others understand what you are trying to do. At least I do have a hard time to figure out the requirement here.

Thanks!

1 Like

my requirement is simple, i want to show the field in body of my email how can i perform that like this,

<h2 style='background-color:red;'>{{ctx.payload.hits.total}} errors have been found since {{ctx.execution_time}} UTC

i want to show the error code("headers.httpStatusCode": "200") in the place {{ctx.payload.hits.total}}

Check out the examples at https://github.com/elastic/examples/tree/master/Alerting/Sample%20Watches

you can access the hits array via ctx.payload.hits.hits.0._source

but when i try that im getting this error

 "id": "send_email",
        "type": "email",
        "status": "failure",
        "error": {
          "root_cause": [
            {
              "type": "general_script_exception",
              "reason": "Error running com.github.mustachejava.codes.DefaultMustache@16d2a49b"
            }
          ],
          "type": "general_script_exception",
          "reason": "Error running com.github.mustachejava.codes.DefaultMustache@16d2a49b",
          "caused_by": {
            "type": "mustache_exception",
            "reason": "Failed to get value for ctx.payload.hits.hits.0._source.headers.httpStatusCode @[query-template:1]",
            "caused_by": {
              "type": "mustache_exception",
              "reason": "0 @[query-template:1]",
              "caused_by": {
                "type": "index_out_of_bounds_exception",
                "reason": "0"

below error is resolved and i mentioned those ctx in subject instead of body

It's normal to get this error because the array ctx.payload.hits.hits is empty because you put this in your query .

size 0 mean 0 document accessible in the output of the query

to fix it , just set a size >0 for example

"size" :15

thank you @elastock i made that change also.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.