Finding correct painless request for Kibana Webhook

isabel · July 31, 2019, 1:28pm

Hello,

I'm trying to hand over an ID from my Watcher context to my Watcher Action (Webhook).

There are the following Fields:

workerId.keyword = string
f1score = number
assignment_completed = boolean

I want to find out if there is a workerId having at least 5 'assignment_complete = true' in the last 5 minutes.

Then I want to find out if a workerId having these 5 assignments_completed = true does have an average f1Score < 0.7.
If the workerId have an average f1Score < 0.7 I want to hand over the workerId to the body of my Action.

"WorkerId": here the workerId.keyword of the one with average f1Score < 0.7 should appear

Here you can see my actual request:
I am asking actualy for a workerId.keyword in the last 5 min with an f1score < 0.7 without asking for the 5 times 'assignment_complete = true' (didn't get it and would be happy for help but for me its more importent to hand over the id.).

{
  "trigger": {
    "schedule": {
      "interval": "30s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "mobots_assignments*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "start_time": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-5m",  
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||epoch_millis"
                  }
                }
              }
            }
          },
          "aggs": {
            "bucketAgg": {
              "terms": {
                "field": "workerId.keyword",
                "size": 1,
                "order": {
                  "metricAgg": "asc"
                }
              },
              "aggs": {
                "metricAgg": {
                  "min": {
                    "field": "f1score"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value < params.threshold) { return true; } } return false;",
      "lang": "painless",
      "params": {
        "threshold": 0.7
      }
    }
  },
  "actions": {
    "mobots_webhook": {
      "webhook": {
        "scheme": "https",
        "host": "www.xyz.com",
        "port": 443,
        "method": "post",
        "path": "/worker_block",
        "params": {},
        "headers": {
          "Host": "www.xyz.com",
          "Content-Type": "application/json"
        },
        "body": {
          "source": {
            "WorkerId": "HERE THE workerId OF THE ONE WITH AVERAGE F1SCORE<0.7 SHOULD APPEAR",
            "Reason": "for test"
          },
          "lang": "mustache",
          "options": {
            "content_type": "application/json; charset=UTF-8"
          }
        }
      }
    }
  }
}

If you need more Information, let me know.
Thank you for reading.

spinscale · August 26, 2019, 8:48am

the trick is to modify your payload data before handing it over to the webhook. You can use a [https://www.elastic.co/guide/en/elastic-stack-overview/7.3/transform-script.html](script transform) to do that. Take a look at the alerting examples for some more inspiration.

system · September 23, 2019, 8:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.