Hello everyone,
i have a problem with the elasticsearch watcher, i think the problem come from my syntax, but i don't know where,
i have this informations :
for the moment i would like to test if the temperature is greater than 0, so i made the following watcher :
{
"trigger": {
"schedule": {
"interval": "60s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"monitoring"
],
"types":
,
"body": {
"query": {
"match": {
"_type": "monitoring"Preformatted text
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.hits.temperature ": {
"gt": 0
}
}
},
"actions": {
"email_admin": {
"email": {
"profile": "standard",
"to": [
"'Peere benjamin <
benjaminpeere@gmail.com >'"
],
"subject": "{{ctx.watch_id}} executed",
"body": {
"text": "{{ctx.watch_id}} executed with {{ctx.payload.hits.total}} hits"
}
}
}
}
}
do you have any idea of what is wrong?
thanks!
Hi Benjamin,
The Alerting Examples Repo at https://github.com/elastic/examples/tree/master/Alerting is a good reference to look at.
For example, look at this one: https://github.com/elastic/examples/blob/master/Alerting/filesystem_usage/watch.json
Notice a few things that are different than what you are trying:
- There is a notion of time range in the query (query the index for documents in the last X minutes) and there's the threshold condition in the query using another range filter
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.window_period}}"
}
}
},
{
"range": {
"used_p": {
"gte": "{{ctx.metadata.threshold}}"
}
}
}
]
}
}
}
- The condition of the watch is counting the number of hits of the return of this query
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
In other words, put all of the logic in the main query, then use the watch condition to see if your query matched or not.
Hope that helps!
