Let me explain my scenario. Let's assume, we have 2 different
patterns found in the logs, one is "import finished" and the other one
is "sendout started". So there are two different events with those two
different patterns. I would like to create an alert by Watcher if the
time between those two events exceeds some threshold value. How to
calculate time between those two events having different query patterns?
Is it possible within Watcher, if so, how? Thanks in advance.
everything in watcher boils down if you are able to express your problem using a regular Elasticsearch query. Can you link those two events in a query and then check on the client side if those two times are ok? Might it actually make more sense to have another processing component that takes those two events and creates a single one which then can be queried? One of my colleagues, Mark Harwood, refers to this strategy as Entity Centric Indexing, and he has given several talks about this, which you should check out, if you are more interested in it. See
one minor update (that said, I still prefer the entity centric solution).
You could execute two searches using the chained input and check in a scripted condition if the search results from your start event are not too far away from the search result of your end event.
Thanks Alex. I will first try this solution using chain. Need a bit research on the Entity centric solution. Thanks for all those links. I will post my solution later.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.