Hi I am getting logs from different servers and I would like to get a watcher where it will count the number of errors reported and trigger a response after certain threshold.
I have it worked but it counts all errors on all servers, how can I specifically get the highest number of any server?
Here's my watcher:
{
"trigger": {
"schedule": {
"interval": "24h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logs*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-1d",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
},
{
"term": {
"log.level": "Error"
}
}
]
}
}
}
}
}
},
"condition": {
"script": {
"source": "if (ctx.payload.hits.total > params.threshold) { return true; } return false;",
"lang": "painless",
"params": {
"threshold": 1000
}
}
},
"actions": {
"slack_1": {
"slack": {
"message": {
"text": "More than 1000 errors reported"
}
}
}
},
"transform": {
"script": {
"source": "HashMap result = new HashMap(); result.result = ctx.payload.hits.total; return result;",
"lang": "painless",
"params": {
"threshold": 100
}
}
}
}