Elastic watcher for http 400 and http 500

Hello
I was quite new to the elastic and its observability stack.
I was struggling hard to create the watcher based on the elastic APM data i.e., needs to trigger whenever there is a http 400 or 500 received in the APM server for several applications we do have hosted for APM. please help me out
Attaching my code.

{
    "trigger": {
      "schedule": {
        "interval": "1m"
      }
    },
    "input": {
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "apm*"
          ],
          "types": [],
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": [
                  {
                    "term": {
                      "context.service.name": "{{ctx.metadata.serviceName}}"
                    }
                  },
                  {
                    "term": {
                      "context.response.status_code": 500
                    }
                  },
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "now-{{ctx.metadata.timeRangeValue}}{{ctx.metadata.timeRangeUnit}}"
                      }
                    }
                  }
                ]
              }
            },
            "aggs": {
              "transaction_groups": {
                "terms": {
                  "min_doc_count": "{{ctx.metadata.threshold}}",
                  "field": "transaction.name",
                  "size": 10,
                  "order": {
                    "_count": "desc"
                  }
                },
                "aggs": {
                  "sample": {
                    "top_hits": {
                      "_source": [
                        "context.request.method",
                        "@timestamp"
                      ],
                      "sort": [
                        {
                          "@timestamp": "desc"
                        }
                      ],
                      "size": 1
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "always": {}
    }
  }

Error output as well attached here

Search Elastic



S


D
Stack Management
Watcher
Create
Management
Alerts and Insights
Rules and Connectors
Watcher
Security
API keys
Kibana
Search Sessions

Create advanced watch

Edit

Simulate
Use the simulator to override the watch schedule, condition, actions, and input results.

Trigger
Set the time and date for starting the watch.
Schedule every
0

seconds
Trigger after
0
seconds
Condition
Execute the watch when the condition is met. Otherwise, ignore the condition and run the watch on a fixed schedule.

Ignore condition
Actions
Allow the watch to execute or skip actions. Learn about actions.(opens in a new tab or window)
Action modes
This table contains 0 rows.
ID
Type
Mode
No items found
Input
Enter JSON data to override the watch payload that comes from running the input.
Alternative input

Press Enter to start editing.

When you're done, press Escape to stop editing.

  

Simulate watch

Simulation results
Error
Simulation output
{
  "watch_id": "_inlined_",
  "node": "JE2CKlgzRJiKsZPs7YVwag",
  "state": "failed",
  "user": "SPOTNURU@volvocars.com",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2022-04-11T10:37:46.734Z"
    },
    "actions": {},
    "execution_state": "failed",
    "version": -1
  },
  "trigger_event": {
    "type": "manual",
    "triggered_time": "2022-04-11T10:37:46.734Z",
    "manual": {
      "schedule": {
        "scheduled_time": "2022-04-11T10:37:46.734Z"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "apm*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "term": {
                    "context.service.name": "{{ctx.metadata.serviceName}}"
                  }
                },
                {
                  "term": {
                    "context.response.status_code": 500
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-{{ctx.metadata.timeRangeValue}}{{ctx.metadata.timeRangeUnit}}"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "transaction_groups": {
              "terms": {
                "min_doc_count": "{{ctx.metadata.threshold}}",
                "field": "transaction.name",
                "size": 10,
                "order": {
                  "_count": "desc"
                }
              },
              "aggs": {
                "sample": {
                  "top_hits": {
                    "_source": [
                      "context.request.method",
                      "@timestamp"
                    ],
                    "sort": [
                      {
                        "@timestamp": "desc"
                      }
                    ],
                    "size": 1
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "always": {}
  },
  "metadata": {
    "name": "Failed transaction ",
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2022-04-11T10:37:46.734Z",
    "execution_duration": 0,
    "input": {
      "type": "search",
      "status": "failure",
      "error": {
        "root_cause": [
          {
            "type": "x_content_parse_exception",
            "reason": "[1:219] [terms] failed to parse field [min_doc_count]"
          }
        ],
        "type": "x_content_parse_exception",
        "reason": "[1:219] [terms] failed to parse field [min_doc_count]",
        "caused_by": {
          "type": "illegal_argument_exception",
          "reason": "For input string: \"\""
        }
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "apm*"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": [
                  {
                    "term": {
                      "context.service.name": ""
                    }
                  },
                  {
                    "term": {
                      "context.response.status_code": 500
                    }
                  },
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "now-"
                      }
                    }
                  }
                ]
              }
            },
            "aggs": {
              "transaction_groups": {
                "terms": {
                  "min_doc_count": "",
                  "field": "transaction.name",
                  "size": 10,
                  "order": {
                    "_count": "desc"
                  }
                },
                "aggs": {
                  "sample": {
                    "top_hits": {
                      "_source": [
                        "context.request.method",
                        "@timestamp"
                      ],
                      "sort": [
                        {
                          "@timestamp": "desc"
                        }
                      ],
                      "size": 1
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "actions": []
  },
  "messages": [
    "failed to execute watch input"
  ]
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.