Compare a value from current index against the previous day

mick66 · March 9, 2016, 3:52pm

I have an overnight process that creates a daily index at 02:00 : myindex-YYYY-MM-DD

This index has eight fields, but I am interested in three:

server_name
id_no
result

The value of result will be either PASS or FAIL

I would like to create a watch that compares the index from today against the index from yesterday and alerts me of any changes to the result field value.

For example:

index1:

@datetime:2016-03-08
server_name: server1
id_no: 1.1
result: PASS

Index 2

 @datetime:2016-03-09
 server_name: server1
 id_no: 1.1
 result: FAIL

I would like to receive an alert that server1, id 1.1, result is now set to FAIL.

I am not sure if this is possible with Watcher, but any help that anyone could provide on this would be much appreciated.

spinscale · March 9, 2016, 4:21pm

Hey,

I see two possibilities here.

First, use the chained input, and run two different search requests and then use the compare condition to compare them.

Second, be able to write a single search query that returns both results (maybe by using aggs) and compare that output.

The first solution sounds better from my outside view, but if it is easy to create a single query, go with that.

Hope this helps.

--Alex

Topic		Replies	Views
Current Date in watcher Elasticsearch	6	103	April 18, 2024
X-pack watcher: Compare alerts from yesterday Elasticsearch	8	1036	November 21, 2017
How to Compare two different fields value of two different index? Elasticsearch elastic-stack-alerting	18	13057	June 21, 2018
Watcher, how to create and compare arrays Elasticsearch	1	212	October 28, 2022
Comparing the values of two indices(index1 vs forecast_index) Elasticsearch elastic-stack-alerting	8	1204	August 22, 2018

Compare a value from current index against the previous day

Related topics