Is it possible to have the watch action acknowledged as soon as it has been executed?
Fancy the idea that we will only receive one alert as long as the alert condition is still the same, and only to receive the next one if the alert condition is met after it has returned to normal before.
It seems it is possible to run a webhook action and then have it to run the API via logstash, but just wondering if there's any native way to do this within watcher itself.
Hmm, that might be a little to Skynet, don't you think?
I think the feature you're looking for is called throttling, which you can define as throttle_period at the top-level of the watch, or within an individual action:
https://www.elastic.co/guide/en/watcher/current/actions.html#actions-ack-throttle
That seems like it will probably work for you?
Hm yeah, the throttle will do I suppose. We'll still get multiple alerts for the same incident but at least we can control how often we will get it..
Thanks for the suggestion!
Hey,
one part on our roadmap is to have a history of earlier watch executions available in the context, so you could use this in a scripted condition. We are still hashing it out, but this might help you in the future!
--Alex
That would be good indeed, thanks for letting us know.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.