Hi All
I am trying to build a JSON file for Watcher that will send an email whenever an account for Error logs exceed 80. But it continues giving an Error message
This is the Built JSON file:
PUT _watcher/watch/feb6b01f-3fbe-4705-8847-914c89053029
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-1h",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "error.keyword",
"size": "5",
"order": {}
}
}
}
},
"indices": [
"gfx-prod-logs*"
]
}
}
},
"condition": {
"script": {
"source": "if (ctx.payload.hits.total > params.threshold) { return true; } return false;",
"params": {
"threshold": 80
}
}
},
"transform": {
"script": {
"source": "HashMap result = new HashMap(); result.result = ctx.payload.hits.total; return result;",
"params": {
"threshold": 80
}
}
},
"actions": {
"email_1": {
"email": {
"profile": "standard",
"to": [
"Abdulhadi.b@gmail.com"
],
"subject": "Kibana Alert GFX Prod Error ",
"body": {
"text": "Kibana Alert GFX Prod Error GTe 80"
}
}
}
}
}
Any Ideas, the error message are:
"messages": [
"failed to execute watch input"
And :
"input": {
"type": "search",
"status": "failure",
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "Must specify at least one field for [order]"
Thanks in Advance
Regards