Help with watcher alert configuration in Kibana

Josip_Cagalj · March 27, 2019, 3:05pm

Hi, this is my first post so yes I'm a noob who just recently started with ELK. I'm trying to set up an advanced watcher in Kibana.
Let's say I have one index 'store' which contains documents with fields e.g. 'amountSpent', 'purchaseDateTime', 'user', 'storeName', ... I would like to create an alert when Someone spends over 10 000. Next, I need to send a Slack notification with a message "User {user} spent {amountSpent} in {storeName}!".
The watcher should run every 5 min and search for data not older than 5 min to avoid sending the slack notification multiple times for the same alert.
Now, I already configured slack account and played with a threshold (simple) alert which is OK but with that, I can't get any additional field values to compose a message.
My threshold alert configuration was:
- 'Name': 'High Spent Alert',
- 'Indices to query': 'store',
- 'Time field': 'purchaseDateTime',
- 'Run watch every': '5 min',
- ' Matching the following condition': ' WHEN max() OF amountSpent OVER all documents IS ABOVE 10000 FOR THE LAST 5 minutes'
- ' Will perform 1 action once met': 'Slack'
i. 'Recipient': '{my address}'
ii. 'Message': 'Watch [{{ctx.metadata.name}}] there was a purchase which amount spended over 10 000!'

Thanks in advance for any help!

Brandon_Kobel · March 27, 2019, 7:47pm

Hey @Josip_Cagalj, I'm going to move this question to the Elasticsearch topic because we have to use the "advanced watch" functionality in Kibana which essentially allows you to create a watch definition directly using the Elasticsearch APIs.

Josip_Cagalj · March 27, 2019, 8:38pm

Ok, thanks and sorry for posting in wrong thread

Josip_Cagalj · April 2, 2019, 1:51pm

Hi, I've successfully added my watch with email action. I'm now stuck in html body of my email. Here is the complete "html":

"html": "There is a total of {{ctx.payload.hits.total}} purchases which exceeded the threshold:<br><br><table><tr><th>Amount</th><th>User</th><th>Time</th></tr> {{#ctx.payload.hits.hits}} {{{<tr><td>}}} {{_source.Amount}} {{{</td><td>}}} {{_source.User} {{{</td><td>}}} {{_source.purchaseDateTime}} {{{</td></tr>}}} {{/ctx.payload.hits.hits}} </table>"

When the watcher is executed I'm getting:

"html": "There is a total of 8 purchases which exceeded the threshold:<table><tr><th>Amount</th><th>User</th><th>Time</th></tr><tr><td> 1000000 </td><td> </td></tr><tr><td> 100500 </td><td> </td></tr><tr><td> 100000 </td><td> </td></tr><tr><td> 100500 </td><td> </td></tr><tr><td> 12220 </td><td> </td></tr><tr><td> 10020 </td><td> </td></tr><tr><td> 12220 </td><td> </td></tr><tr><td> 100000 </td><td> </td></tr></table>"

Which ends up like this:

There is a total of 8 purchases which exceeded the threshold:

Amount	User	Time
1000000
100500
100000
100500
12220
10020
12220
100000

As you can see I'm missing the Time and User part of the data and can't distinguish where is the error? So please if anyone can help I'd appreciate it. Thanks in advance

spinscale · April 3, 2019, 7:46am

can you show a full sample document? Note that field names are case sensitive.

Josip_Cagalj · April 3, 2019, 12:22pm

Hi thanks for your replay. I made a mistake when posting last time. I've copied the wrong action response, so to clarify my email html body defined in action send_email looks like this:

"html": "There is a total of {{ctx.payload.hits.total}} purchases which exceeded the threshold:<br><br><table><tr><th>Amount</th><th>User</th><th>Time</th></tr> {{#ctx.payload.hits.hits}} {{{<tr><td>}}} {{_source.Amount}} {{{</td><td>}}} {{_source.User}{{{</td><td>}}} {{_source.purchaseDateTime}} {{{</td></tr>}}} {{/ctx.payload.hits.hits}} </table>"

When executed this is the response:

"html": "There is a total of 8 purchases which exceeded the threshold:<table><tr><th>Amount</th><th>User</th><th>Time</th></tr></table> 1000000 241 2019-03-12T02:21:44 100500 261 2019-03-16T12:08:56 100000 241 2019-03-16T12:08:56 100500 241 2019-03-16T12:08:56 12220 241 2019-03-23T05:52:36 10020 241 2019-03-23T05:52:36 12220 261 2019-03-23T05:52:36 100000 251 2019-03-26T12:08:56 "

So the problem is that table closing tag </table> is put before looping through payload hits data. Also, there aren't any table tags (row, cell) inside the data?!

All the data are valid but displaying them in a table is something I can't accomplish

spinscale · April 3, 2019, 2:13pm

This works for me

POST _xpack/watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "10h"
      }
    },
    "input": {
      "simple": {
        "hits": {
          "hits": [
            {
              "_source": {
                "Amount": 123,
                "User": "123",
                "purchaseDateTime": "123"
              }
            },
            {
              "_source": {
                "Amount": 456,
                "User": "456",
                "purchaseDateTime": "456"
              }
            }
          ]
        }
      }
    },
    "actions": {
      "logme": {
        "logging": {
          "text": "There is a total of {{ctx.payload.hits.total}} purchases which exceeded the threshold:<br><br><table><tr><th>Amount</th><th>User</th><th>Time</th></tr> {{#ctx.payload.hits.hits}} <tr><td> {{_source.Amount}} </td><td> {{_source.User}} </td><td> {{_source.purchaseDateTime}} </td></tr> {{/ctx.payload.hits.hits}} </table>"
        }
      }
    }
  }
}

You forgot a closing } at {{_source.User}

Josip_Cagalj · April 3, 2019, 2:20pm

Wow, thanks. Got it to work now. I knew it was a matter of something simple but sometimes you can't see the thing which is just there in front of you

system · May 1, 2019, 2:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.