Hi,
Is it possible to set the alert triggering condition like ...the alert should trigger after 10 mins after it reaches threshold value .
Note: we have to wait for 10 mins to check whether the value is getting drained or not
Thanks,
Velu G
Hi ,
Can someone please assist for my above concern.
Thanks,
Velu G
can you explain the setup a bit more, to make sure folks are not missing things. How about checking the values from 10 minutes ago, and this way it should work? Is there more to that is hidden between the lines?
Hi,
Please find the details below...Currently my watcher will trigger the alert whenever the threshold reaches(14) . Instead of this i want to set the conditional alert like the alert need to trigger when my threshold breaches more than or equal to 10 mins.
{
"trigger": {
"schedule": {
"hourly": {
"minute": [
0,
10,
20,
30,
40,
50
]
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"eastern-mjsqueue-*"
],
"types": ,
"body": {
"query": {
"bool": {
"must": [
{
"match_all": {}
},
{
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.range_date_time}}"
}
}
},
{
"match_phrase": {
"fields.eastern_region": {
"query": "{{ctx.metadata.region}}"
}
}
},
{
"match_phrase": {
"jsondoc.mjsdestname.keyword": {
"query": "easternInboundQueue"
}
}
},
{
"range": {
"jsondoc.messagecurrentCount": {
"gt": "{{ctx.metadata.threshold}}"
}
}
}
]
}
},
"aggs": {
"region": {
"terms": {
"field": "fields.eastern_region.keyword",
"size": 5,
"order": {
"_term": "desc"
}
},
"aggs": {
"perc": {
"percentiles": {
"field": "jsondoc.messagecurrentCount",
"percents": [
90
],
"keyed": false
}
},
"currentcount": {
"max": {
"field": "jsondoc.messagecurrentCount"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"metadata": {
"watcher_id": "mjsQ-0001",
"range_date_time": "10m",
"slack": true,
"threshold": 14,
"region": "east-on",
"watcher_name": "Alert for eastern mjs Inbound Queue Depth by Percentiles",
"email": true
}
}
Please suggest me how to proceed the conditional alert.
Note: I don't want the alert immediately when it reaches to the threshold 14 .
Thanks,
Velu G
Hey,
Before thinking in terms of a watch, start thinking in terms of a search query. Can I create a search query that provides me the relevant information. My assumption in this case is, that you may only want to trigger an action, if the threshold is above the configured one in several consecutive runs. So, how can you write a query like this? Probably by using aggregations, by using a date histogram to divide your data into time buckets, then retrieving the max value for each bucket and then checking if all of the last n buckets are above your threshold?
Does that sound like a plan? If so, taking a look at the date histogram and the max aggregations might make sense.
Hope that helps to get started
--Alex
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.