Hello, can provide any guidance on how to form the input query for a watcher to retrieve the last and previous status ("windows.service.state") for each "windows.service.display_name" collected through a metricbeat. Is there API functionality to fetch the last and former sample?
hey,
there are two ways of solving this.
First (and I think this is the easier solution), you can write either two search inputs. One that searches in the last 5 minutes and another one that searches in 5-10 before and then compare the outputs or writing a proper aggregation and do this within one query. Second, you could query the watch history and check the previous result from the previous watch execution.
Hope that helps as a start.
--Alex
hi @spinscale, thanks for your prompt reply. Maybe some more clarification on the challenges we're facing would help 
. The applicable metricbeat index contains docs holding the service status of multiple services on multiple hosts. The challenges we face:
-
We would like to compare the current service status for each services on each host against previous status (
hostX.serviceY.current_status compared with hostX.ServiceY.previous_status). Attached input json doesn't provide us that as yet. It will still aggregate over mutple services over multiple hosts. How to go about that? -
Although we seem to have a way to get the current (now-5min till now) and previous status (now-10min till now-5) it still seems bit complex. Do you know if there is any API functionality that would give us the lmost recent windows.service.state value?
watcher json:
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"term": {
"windows.service.start_type" : "Manual"
}
},
{
"range": { "@timestamp": { "from": "now-60m", "to": "now" }}
}
]
}
},
"aggs" : {
"data" : {
"filters": {
"filters": {
"latest": {
"range": { "@timestamp": { "from": "now-15m", "to": "now" }}
},
"previous": {
"range": { "@timestamp": { "from": "now-60m", "to": "now-15m" }}
}
}
},
"aggs" : {
"services" : {
"terms": {
"field": "windows.service.display_name",
"size": 1000
},
"aggs" : {
"statuses" : {
"terms": {
"field": "windows.service.state",
"size": 1
}
}
}
}
}
}
}
}
,
"indices": [
"metricbeat-*"
]
}
}
},
"condition": {
"script": {
"inline": "return 1<2"
}
},
"actions": {
"email_hj": {
"email": {
"to": "harm-jan.wijnen@capgemini.com",
"subject": "test watcher",
"body": "test body"
}
}
}
}
}
watcher search json:
GET /metricbeat-*/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"term": {
"windows.service.start_type" : "Manual"
}
},
{
"range": { "@timestamp": { "from": "now-60m", "to": "now" }}
}
]
}
},
"aggs" : {
"data" : {
"filters": {
"filters": {
"latest": {
"range": { "@timestamp": { "from": "now-15m", "to": "now" }}
},
"previous": {
"range": { "@timestamp": { "from": "now-60m", "to": "now-15m" }}
}
}
},
"aggs" : {
"services" : {
"terms": {
"field": "windows.service.display_name",
"size": 1000
},
"aggs" : {
"statuses" : {
"terms": {
"field": "windows.service.state",
"size": 1
}
}
}
}
}
}
}
}@J_Weeda To get the last value, you could use a top hit aggregation with size 1 sorted on @timestamp (https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-top-hits-aggregation.html)
Interesting idea for a watch by the way.. (could also use something similar)
Unfortunately, imho, it will be quite difficult to achieve what you are asking. Maybe if you created 1 watch per host, it would be easier? So that you only need to query the last state of each services and not the last state of each service of each host?
Grtz
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.