Compare a value from current index against the previous day

mick66 · March 9, 2016, 3:52pm

I have an overnight process that creates a daily index at 02:00 : myindex-YYYY-MM-DD

This index has eight fields, but I am interested in three:

server_name
id_no
result

The value of result will be either PASS or FAIL

I would like to create a watch that compares the index from today against the index from yesterday and alerts me of any changes to the result field value.

For example:

index1:

@datetime:2016-03-08
server_name: server1
id_no: 1.1
result: PASS

Index 2

 @datetime:2016-03-09
 server_name: server1
 id_no: 1.1
 result: FAIL

I would like to receive an alert that server1, id 1.1, result is now set to FAIL.

I am not sure if this is possible with Watcher, but any help that anyone could provide on this would be much appreciated.

spinscale · March 9, 2016, 4:21pm

Hey,

I see two possibilities here.

First, use the chained input, and run two different search requests and then use the compare condition to compare them.

Second, be able to write a single search query that returns both results (maybe by using aggs) and compare that output.

The first solution sounds better from my outside view, but if it is easy to create a single query, go with that.

Hope this helps.

--Alex

Topic		Replies	Views
Current Date in watcher Elasticsearch	6	102	April 18, 2024
How to Compare two different fields value of two different index? Elasticsearch elastic-stack-alerting	18	13044	June 21, 2018
Watcher, how to create and compare arrays Elasticsearch	1	212	October 28, 2022
Ability to search ES based on a result of previous search in a watcher Elasticsearch elastic-stack-alerting	7	2490	April 27, 2020
Watcher Compare 2 fields from the same index Elasticsearch elastic-stack-alerting	3	1872	June 17, 2019

Compare a value from current index against the previous day

Related Topics