Help with Advanced Watcher

Elastic Stack Elasticsearch
1

Hi guys,

I'm trying to create a watcher for a simple query that goes like this:

field: "service_X" and event.level: "ERROR"

The problem is, when creating the watcher itself, it doesn't allow me to use multiple fields:

"input": {
"search": {
  "request": {
    "search_type": "query_then_fetch",
    "indices": [
      "whatever-logs-*"
    ],
    "rest_total_hits_as_int": true,
    "body": {
      "size": 0,
      "query": {
        "bool": {
          "filter": [
            {
              "range": {
                "@timestamp": {
                  "from": "now-10m",
                  "to": "now"
                }
              }
            },
            {
              "multi_match": {
                "query": "field_X: 'service_X' and event.level: 'ERROR'",
                "fields": ["field_X", "event.level"]
              }                  
            }
          ]
        }
      },
      "aggs": {
        "whatever_errors": {
          "cardinality": {
            "field": "field_X",
            "field":"event.level"
          }              
        }
      }
    }
  }
}

},
"condition": {
"always": {}
},
"actions": {
"send_to_whatever": {
"transform": {
"script": {
"source": "return [ 'sms_errors': ctx.payload.aggregations.whatever_errors.value ]",
"lang": "painless"
}
},

The error I'm getting from the simulation is // Failed to transform payload
Like there's something related to the transform part.

Thank you.

2

can you share the output of the execute watch API?

Also, please make sure, your whole snippet is formatted, this makes it a million times easier to read.

Thank you!

3

Nevermind, looks like we have a timeout issue with the entire cluster, shards are over 100GB. We gotta take care of it first before setting up watchers/searches.

Thank you!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.