Creating a watcher to check for no data in all the indices

Hello team,
I need to create watcher to check for no data in all the indices. I have total 100+ indices.

1. I am using below script. in indices, i am putting * is this work?
2. I need all index name in body which have 0 records from last 15 min

{
  "trigger": {
    "schedule": {
      "interval": "240m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-15m",
              "lte": "now",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "lte": 0
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "from": "mj@gmail.com",
        "to": [
          "abc@gmail.com"
        ],
        "subject": "Test Email :: There is no log data from last 15 min in below indices",
        "body": {
          "html": """<html>
  <body>
    <strong>There is no log data from last 15 min in below indices </strong>

//  need to display list of indices here.

    <br />
 <br /> 
 
  </body>
</html>
"""
        }
      }
    }
  }
}

Could to something like this:

{
    "trigger": {
      "schedule": {
        "interval": "15m"
      }
    },
    "metadata": {
      "longer_time": "14d/d",
      "shorter_time": "15m",
      "alarm_type": "Packet Loss"
    },
    "input": {
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "*"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "size": 0,
            "aggs": {
              "index_names": {
                "terms": {
                  "field": "_index",
                  "size": 10000
                },
                "aggs": {
                  "older_data": {
                    "filter": {
                      "query_string": {
                        "default_field": "@timestamp",
                        "query": "@timestamp:[now-{{ctx.metadata.longer_time}} TO now-{{ctx.metadata.shorter_time}}]"
                      }
                    }
                  },
                  "newer_data": {
                    "filter": {
                      "query_string": {
                        "default_field": "@timestamp",
                        "query": "@timestamp:[now-{{ctx.metadata.shorter_time}} TO now]"
                      }
                    }
                  },
                  "expose_olders_not_in_newers": {
                    "bucket_selector": {
                      "buckets_path": {
                        "older": "older_data._count",
                        "newer": "newer_data._count"
                      },
                      "script": "params.older > 0 && params.newer == 0"
                    }
                  }
                }
              },
              "final_count": {
                "stats_bucket": {
                  "buckets_path": "index_names._count"
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "script": """
        return ctx.payload.aggregations.final_count.count > 0; 
          """
    },
    "actions": {
      "log": {
        "transform": {
          "script": """
                    return ctx.payload.aggregations.index_names.buckets.stream().map(p -> ['index':p.key,'docs_in_last_week':p.older_data.doc_count,'docs_in_last_15m':p.newer_data.doc_count]).collect(Collectors.toList());
          """
        },
        "logging": {
          "text": """
         {{#ctx.payload._value}}
         index={{index}} had no docs in last 15m (was {{docs_in_last_week}} documents in last 14 days)
         {{/ctx.payload._value}}


"""
        }
      }
    }
  }

Sample result is:

      "actions" : [
        {
          "id" : "log",
          "type" : "logging",
          "status" : "success",
          "transform" : {
            "type" : "script",
            "status" : "success",
            "payload" : {
              "_value" : [
                {
                  "docs_in_last_15m" : 0,
                  "index" : "alert-messages-new",
                  "docs_in_last_week" : 5599
                },
                {
                  "docs_in_last_15m" : 0,
                  "index" : "latest-neid-alerts",
                  "docs_in_last_week" : 39
                },
                {
                  "docs_in_last_15m" : 0,
                  "index" : "devices",
                  "docs_in_last_week" : 2
                }
              ]
            }
          },
          "logging" : {
            "logged_text" : """
         index=alert-messages-new had no docs in last 15m (was 5599 documents in last 14 days)
         index=latest-neid-alerts had no docs in last 15m (was 39 documents in last 14 days)
         index=devices had no docs in last 15m (was 2 documents in last 14 days)


"""
          }
        }
      ]

Obviously format to your liking and use email not the simple logging action. Also, you probably won't want to look back as far as I did (14 days - maybe you just do 1h). I had to because I don't really have live data coming into my cluster.

Thank you so much @richcollier its worked for me

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.