Create a watcher alert - extract a field and to compare

sree3 · September 11, 2022, 11:51am

Hi Team,

I am trying to create a new thershold watcher alert for a value that is present inside the "message" field. But i was unable to get it right. Someone could please help to resolve the issue.

Below is the JSON template that i've tried

{
  "trigger": {
    "schedule": {
      "interval": "2m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "applications-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 1,
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "message": {
                      "query": "heap.memory.used/total",
                      "operator": "and"
                    }
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-3m"
                    }
                  }
                }
              ]
            }
          },
          "_source": [
            "message",
            "beat.name"
          ]
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total.heap.memory.used/total": {
        "gt": 90
      }
    }
  },
  "actions": {
    "email_me": {
      "email": {
        "profile": "standard",
        "priority": "high",
        "to": [
          "xxx@abc.com"
        ],
        "subject": "Test heap/memory",
        "body": {
          "text": "Message = {{ctx.payload.hits.hits.0._source.message}}"
        }
      }
    }
  },
  "metadata": {
    "color": "red"
  },
  "throttle_period_in_millis": 900000
}

richcollier · September 12, 2022, 10:57am

This implies you haven't parsed your data properly into fields. You can either adjust your ingest pipeline or create a runtime field in the meantime to get the value of heap.memory.used/total

sree3 · September 15, 2022, 3:10am

Thanks @richcollier . I shall try adjust the ingest.
Thanks

system · October 13, 2022, 3:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Creating a watcher to compare a float value Elasticsearch elastic-stack-alerting	7	830	November 19, 2019
Can't get a field from the ctx.payload in Kibana watcher Kibana	5	6839	April 17, 2018
Create WATCHER with dynamic search value Kibana	3	406	June 10, 2020
Watcher alert for matching multiple fields in same index Kibana elastic-stack-alerting	3	919	June 29, 2021
Kibana watcher alert error Elasticsearch elastic-stack-alerting	2	615	August 29, 2019

Create a watcher alert - extract a field and to compare

Related Topics