Hi
I am pretty new to this and I have been studying the docs for the last two days but I am struggling to create a simple watcher that does following:
From a Heartbeat that checks multiple URLs and sends the log to the hearbeat* index alert me if at least one of the HTTP Status code was NOT 200 in the last 5 minutes. (Ideally I want the alert to happen if two or more response codes were not 200 in the last 5 minutes but I haven't gotten that far)
This is my current config
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"heartbeat*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-5m",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "http.response.status_code",
"size": "5",
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"avg": {
"field": "http.response.status_code"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value !== params.threshold) { return true; } } return false;",
"lang": "painless",
"params": {
"threshold": 200
}
}
},
"actions": {
}
}
I was able to write a "Alert me if any of the response codes where higher than 200" but that did not include the condition if there was no response code at all and the field http.response.status_code was empty. No http response should also trigger an alert.
Any help would be much appreciated