Help with Advanced Watcher

Hi guys,

I'm trying to create a watcher for a simple query that goes like this:

field: "service_X" and event.level: "ERROR"

The problem is, when creating the watcher itself, it doesn't allow me to use multiple fields:

"input": {
"search": {
  "request": {
    "search_type": "query_then_fetch",
    "indices": [
      "whatever-logs-*"
    ],
    "rest_total_hits_as_int": true,
    "body": {
      "size": 0,
      "query": {
        "bool": {
          "filter": [
            {
              "range": {
                "@timestamp": {
                  "from": "now-10m",
                  "to": "now"
                }
              }
            },
            {
              "multi_match": {
                "query": "field_X: 'service_X' and event.level: 'ERROR'",
                "fields": ["field_X", "event.level"]
              }                  
            }
          ]
        }
      },
      "aggs": {
        "whatever_errors": {
          "cardinality": {
            "field": "field_X",
            "field":"event.level"
          }              
        }
      }
    }
  }
}

},
"condition": {
"always": {}
},
"actions": {
"send_to_whatever": {
"transform": {
"script": {
"source": "return [ 'sms_errors': ctx.payload.aggregations.whatever_errors.value ]",
"lang": "painless"
}
},

The error I'm getting from the simulation is // Failed to transform payload
Like there's something related to the transform part.

Thank you.

can you share the output of the execute watch API?

Also, please make sure, your whole snippet is formatted, this makes it a million times easier to read.

Thank you!

Nevermind, looks like we have a timeout issue with the entire cluster, shards are over 100GB. We gotta take care of it first before setting up watchers/searches.

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.