Advancing alert using watcher

Elastic Stack Elasticsearch
1

HI Team,
I'm very new watcher part and i want to create one alert, please help me on this alert.

My scenario:
i want to compare one field which i stored on the index for certain time period.

for example: In the 1m of time interval if i got that value more than 5 i want to trigger the alert. and i want bring that event word in subject,
please find my below code,

  {
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "index"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "match": {
              "headers.httpStatusCode": "200"
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 5
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "xxxx@xx.com"
        ],
        "subject": "cardinality Alert",
        "body": {
          "text": "Respective value has been occured more than 5 time in a min"
        }
      }
    }
  }
}
2

hey,

can you explain what you mean with event word in subject. What exactly do you refer to? Are you talking about the hits of a search response?

--Alex

3

event mean field which i'm comparing and i want to show that word in body of the message.

Alert trigger should happen only when the condition is matched

4

sorry, but this is impossible to follow if you dont take some more time to explain the use-case, showing sample documents, showing the query you want to match so that others understand what you are trying to do. At least I do have a hard time to figure out the requirement here.

Thanks!

1 Like
5

my requirement is simple, i want to show the field in body of my email how can i perform that like this,

<h2 style='background-color:red;'>{{ctx.payload.hits.total}} errors have been found since {{ctx.execution_time}} UTC

i want to show the error code("headers.httpStatusCode": "200") in the place {{ctx.payload.hits.total}}

6

Check out the examples at https://github.com/elastic/examples/tree/master/Alerting/Sample%20Watches

you can access the hits array via ctx.payload.hits.hits.0._source

7

but when i try that im getting this error

 "id": "send_email",
        "type": "email",
        "status": "failure",
        "error": {
          "root_cause": [
            {
              "type": "general_script_exception",
              "reason": "Error running com.github.mustachejava.codes.DefaultMustache@16d2a49b"
            }
          ],
          "type": "general_script_exception",
          "reason": "Error running com.github.mustachejava.codes.DefaultMustache@16d2a49b",
          "caused_by": {
            "type": "mustache_exception",
            "reason": "Failed to get value for ctx.payload.hits.hits.0._source.headers.httpStatusCode @[query-template:1]",
            "caused_by": {
              "type": "mustache_exception",
              "reason": "0 @[query-template:1]",
              "caused_by": {
                "type": "index_out_of_bounds_exception",
                "reason": "0"
8

below error is resolved and i mentioned those ctx in subject instead of body

9

It's normal to get this error because the array ctx.payload.hits.hits is empty because you put this in your query .

size 0 mean 0 document accessible in the output of the query

to fix it , just set a size >0 for example

"size" :15

10

thank you @elastock i made that change also.

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.