Elasticsearch watcher syntax

Elastic Stack Elasticsearch
1

Hello everyone,

i have a problem with the elasticsearch watcher, i think the problem come from my syntax, but i don't know where,
i have this informations :

image.png1394×76 5.17 KB

for the moment i would like to test if the temperature is greater than 0, so i made the following watcher :
{
"trigger": {
"schedule": {
"interval": "60s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"monitoring"
],
"types": ,
"body": {
"query": {
"match": {
"_type": "monitoring"Preformatted text
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.hits.temperature ": {
"gt": 0
}
}
},
"actions": {
"email_admin": {
"email": {
"profile": "standard",
"to": [
"'Peere benjamin < benjaminpeere@gmail.com >'"
],
"subject": "{{ctx.watch_id}} executed",
"body": {
"text": "{{ctx.watch_id}} executed with {{ctx.payload.hits.total}} hits"
}
}
}
}
}
do you have any idea of what is wrong?
thanks!

2

Hi Benjamin,

The Alerting Examples Repo at https://github.com/elastic/examples/tree/master/Alerting is a good reference to look at.

For example, look at this one: https://github.com/elastic/examples/blob/master/Alerting/filesystem_usage/watch.json

Notice a few things that are different than what you are trying:

  • There is a notion of time range in the query (query the index for documents in the last X minutes) and there's the threshold condition in the query using another range filter
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-{{ctx.metadata.window_period}}"
                    }
                  }
                },
                {
                  "range": {
                    "used_p": {
                      "gte": "{{ctx.metadata.threshold}}"
                    }
                  }
                }
              ]
            }
          }
        }
  • The condition of the watch is counting the number of hits of the return of this query
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },

In other words, put all of the logic in the main query, then use the watch condition to see if your query matched or not.

Hope that helps!

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.