I have data coming into an index from few different sources and I want to create an alert (preferably slack) when there's no data for the last few minutes for one of the sources (filter by unique id field).
I'm trying to use watchers, but can't make it work.
What's the best way to do it?
Thanks
1 Like
can you explain what you tried so far, so others can follow along? The main question here is not coming up with the watch, but coming up with the right query to answer this question. So how does your query look like?
You could have a query, that has two aggregations, one from now-5m and one from -5m-10m and then compare those buckets for example. Does that sound feasible or am I missing something?
I want to create an alert when the count of records that match a specific field in the index in the last minute is 0.
These are my problems:
- I can't find a way to configure in a watcher a condition on a specific field (which means that it looks on all the data in the index instead of filtering it)
- How to configure slack integration in elastic cloud?
can you expain in more detail what the problem with the condition is? Using a script condition you can access any field in the payload (which contains the full search response) and decide on any criteria if an action should be triggered.
Regarding slack: You can configure [secure settings])(https://www.elastic.co/guide/en/cloud/current/ec-configuring-keystore.html) and there is a small paragraph about setting up watcher in elastic cloud as well. If anything is missing, let us know!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.