Can't get a Watch to operate within the proper timezone

alerting

(Kevin Soucy) #1

We are having difficulty getting watches to locate data in the correct timezone. We can get the watches to "execute" within the proper timezone, but the execution of the watch never seems to find the data match the criteria. For test purposes we have created a standalone query (executed via curl) with the exact same query in it. This "curl" query matches on the criteria, but the watch does not.

Here's the query portion of the script we use via curl:
{
"size": 0,
"aggs": {
"Fatal_errs" : {
"terms": { "field": "host" }
}
},
"query": {
"filtered": {
"query": {"match" : {"Error" : "FATAL ERROR"}},
"filter": {
"range": { "@timestamp": { "gt" : "now-'"$intv"'" }}
}
}
}
}'

This finds and aggregates the fatal errors by host for the interval we feed it, if there are fatal errors in the stored events for the range.

This is the watch setup

"search" : {

  "request" : {

    "indices" : [ "<abcd-{now\/d}" ],
    "types" : [ "abcdefg-systemErr" ],
    "body" : {
      "size": 0,
      "aggs": {
        "Fatal_errs" : {
          "terms": { "field": "host" }
        }
      },
      "query": {
        "filtered": {
          "query": {"match" : {"Error" : "FATAL ERROR"}},
          "filter": {
            "range": { "@timestamp": { "gt" : "now-2m" }}
          }
        }
      }
    }
  }
}

},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},

This never matches (result.condition.met is always false), even when the manual script does match. We've tried add a timezone parameter ("time_zone": "-04:00" after the range, but still no match.

So - question is........how does one get a watch to operate in the timezone that you wish it to?
I would expect consistency in the way queries operate in the ES environment regardless of what utility they execute from.


(Alexander Reelsen) #2

Hey,

I think the problem is your invalid escaping of the slash in the time based index name. It does not work with a backslash but requires proper URI encoding.

--Alex


(Kevin Soucy) #3

Thank you. You got me to the proper place. I had missed the ">" at the end of the index name. The "" you see in there i had added because the post would not format properly unless i escaped that "/".

Appreciate your help.


(system) #4