Count the chattiest server

Hi I am getting logs from different servers and I would like to get a watcher where it will count the number of errors reported and trigger a response after certain threshold.
I have it worked but it counts all errors on all servers, how can I specifically get the highest number of any server?
Here's my watcher:

{
  "trigger": {
    "schedule": {
      "interval": "24h"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logs*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "{{ctx.trigger.scheduled_time}}||-1d",
                      "lte": "{{ctx.trigger.scheduled_time}}",
                      "format": "strict_date_optional_time||epoch_millis"
                    }
                  }
                },
                {
                  "term": {
                    "log.level": "Error"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.hits.total > params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 1000
      }
    }
  },
  "actions": {
    "slack_1": {
      "slack": {
        "message": {
          "text": "More than 1000 errors reported"
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": "HashMap result = new HashMap(); result.result = ctx.payload.hits.total; return result;",
      "lang": "painless",
      "params": {
        "threshold": 100
      }
    }
  }
}

The way I can think this could be accomplished is by adding terms aggregation on "server" field to your query, and then you would need to access the 1st bucket (I think should be ctx.payload.aggregations.<my_agg>.buckets[0].doc_count) in this aggregation in the watch condition.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.