Alert on SUM of field exeeding certain value?

spinscale · June 8, 2017, 7:49am

Hey,

this sounds possible to me. The important part here is to write a proper search query (independent from the watch). The search query needs to do the following

have a range filter in your query that filters from the first of the month until now
have a term filter in your query (or a match query), that filters for the host you are interested in
have a sum aggregation in your request, that counts up your bytes (use the sum aggregation

Now you got the correct data (a single aggregation response returning a number), which you can use in the watcher condition to check if it exceeds a threshold.

If it does, send an email - where you can include this exact data.

One last thing: If the IP is dynamic, you could just have an aggregation for the ip address, and then calculate the sum for each IP.

Hope this helps.

--Alex

Topic		Replies	Views
How to write the watcher condition & trigger rule Elasticsearch elastic-stack-alerting	5	4248	July 6, 2017
Cannot find correct ctx.payload path to use Elasticsearch	6	1862	August 24, 2018
By host Watch strategy Elasticsearch elastic-stack-alerting	4	1217	July 6, 2017
Creating a Watch with Nest difficulty Elasticsearch elastic-stack-alerting	3	1655	July 6, 2017
Watcher alert on buckets data Elasticsearch elastic-stack-alerting	5	4293	November 22, 2017

Alert on SUM of field exeeding certain value?

Related topics