Getting error while configuring watcher alerts

Elastic Stack Elasticsearch
1

Hi,

I want to set watcher alert in which it should alert me if there is any 5XX calls for more than 1 hour. I using this code but it is giving me "ParsingException[[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]]" .
Also the index name changes every day i.e logstash-2018.03.23 on next day it would be logstash-2018.03.24. How can i configure this . Please help me on this

</>PUT _xpack/watcher/watch/5xx alert
{
"trigger": {
"schedule": {
"interval": "60s"
}
},
"input": {
"search": {
"request": {
"indices": [
"logstash-2018.03.23"
],
"body": {
"query": {
"match": {
"response_code": "5**"
},

					{
					"range" : {
					"timestamp": {
					"gte" : "now-1h",
					"lte" : "now"
						          }
						     }
					}	         			
                }
            }
        }
    }
},
"condition": {
    "compare": {
        "ctx.payload.hits.total": {
            "gt": 0
        }
    }
},
"actions": {
    "send_email": {
        "email": {
            "to": "emailid",
            "subject": "Watcher 2xx executed",
            "body": "{{ctx.watch_id}} executed with {{ctx.payload.hits.total}} hits"
        }
    }
}

}
</>

2

Below are the code which iam trying.

PUT _xpack/watcher/watch/5xx_alert
{
"trigger": {
"schedule": {
"interval": "60s"
}
},
"input": {
"search": {
"request": {
"indices": [
"logstash-2018.03.23"
],
"body": {
"query": {
"match": {
"response_code": "5**"
},

					{
					"range" : {
					"timestamp": {
					"gte" : "now-1h",
					"lte" : "now"
						          }
						     }
					}	         			
                }
            }
        }
    }
},
"condition": {
    "compare": {
        "ctx.payload.hits.total": {
            "gt": 0
        }
    }
},
"actions": {
    "send_email": {
        "email": {
            "to": "emailid",
            "subject": "Watcher 5xx executed",
            "body": "{{ctx.watch_id}} executed with {{ctx.payload.hits.total}} hits"
        }
    }
}

}

3

please take your time to properly format your request. This is very hard to read.

Instead of writing the watch, please take a step back, extract the query and run it using a regular _search request and see if it works. I highly doubt it, as it looks, as if you are not using a bool query with several filter clauses.

Also the syntax you are using 5** should be replaced with a range query (search for everything between 500 and 599).

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.