How can I successfully debug a watcher? My watchers don't seem to do anything

ujjain · March 2, 2018, 9:57am

My watchers don´t seem to do anything. Nothing appears in the _alerts index and no e-mail gets sent. I'm not sure what effective methods of debugging are either.

I'm running ElasticSearch 2.4.

{
  "_index": "alert_watchers",
  "_type": "watcher",
  "_id": "Test Alerts 2",
  "_score": 1,
  "_source": {
    "name": "Test Alerts 2",
    "disabled": false,
    "status": "OK",
    "loglevel": "ERROR",
    "dashboard": "https://kibana",
    "tags": "demo",
    "trigger": {
      "schedule": {
        "later": "every 5 minutes",
        "plan": "DAILY",
        "sun": {
          "from": "07:00",
          "to": "19:00"
        },
        "mon": {
          "from": "07:00",
          "to": "19:00"
        },
        "tue": {
          "from": "07:00",
          "to": "19:00"
        },
        "wed": {
          "from": "07:00",
          "to": "19:00"
        },
        "thu": {
          "from": "07:00",
          "to": "19:00"
        },
        "fri": {
          "from": "07:00",
          "to": "19:00"
        },
        "sat": {
          "from": "07:00",
          "to": "19:00"
        }
      }
    },
    "input": {
      "search": {
        "request": {
          "index": "<logstash-{now/d}>",
          "body": {
            "highlight": {
              "pre_tags": [
                "@kibana-highlighted-field@"
              ],
              "post_tags": [
                "@/kibana-highlighted-field@"
              ],
              "fields": {
                "*": {}
              },
              "require_field_match": false,
              "fragment_size": 2147483647
            },
            "query": {
              "filtered": {
                "query": {
                  "query_string": {
                    "query": "response:404",
                    "analyze_wildcard": true
                  }
                },
                "filter": {
                  "range": {
                    "@timestamp": {
                      "from": "now-5m"
                    }
                  }
                }
              }
            },
            "size": 0,
            "aggs": {
              "2": {
                "date_histogram": {
                  "field": "@timestamp",
                  "interval": "10m",
                  "time_zone": "Europe/Berlin",
                  "min_doc_count": 1,
                  "extended_bounds": {
                    "min": 1519207582152,
                    "max": 1519293982152
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "script": {
        "script": "payload.hits.total > 1"
      }
    },
    "record_execution": true,
    "ignore_condition": true,
    "action_modes": {
      "my-action": "force_simulate"
    },
    "transform": {},
    "actions": {
      "action_group": {
        "throttle_period": "1m",
        "console": {
          "message": "error in demo2"
        },
        "email": {
          "to": "me@me.com",
          "subject": "error for demo2",
          "body": "Number of 404 errors last 5 minutes is  {{ payload.hits.total }}. Threshold for error is 1 error last 5 minutes."
        },
        "chat": {
          "hook": "",
          "message": ""
        },
        "webhook": {
          "host": "",
          "port": "",
          "method": "",
          "path": "",
          "headers": "",
          "body": ""
        }
      }
    },
    "@timestamp": "2018-03-02T09:43:31.289Z"
  }
}

LeeDr · March 9, 2018, 1:40pm

I'm not sure how much has changed since 2.4 version, but in current 6.x versions I test a watch with email like this;

Create the watch
periodically get the watch from Elasticsearch from .watches index (may not be the same in 2.4)
if the watch does not show successful execution, then I search .watcher-history* with 'watch_id:' myWatchId (also may not be the same in 2.4)

For example, if the watch fails to execute the email action, the doc in the .watches index doesn't usually have the details of why it failed. But the .watcher-history* entry does.

Also note that you can add index patterns to Kibana for these indices and use it to look at the results.

spinscale · March 9, 2018, 4:51pm

This post here might help, even though it is written for Elasticsearch 5.x and thus some endpoints differ... https://www.elastic.co/blog/watching-the-watches-writing-debugging-and-testing-watches

First thing is to always use the execute watch API and check the response output... the above blogpost explains a bit how to read the output.

system · April 6, 2018, 4:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher on elasticsearch logs Elasticsearch elastic-stack-alerting	4	440	November 30, 2018
Watcher doesn't work (empty result) Elasticsearch elastic-stack-alerting	22	4259	July 23, 2018
Elasticsearch indexes - watcher notifications Elasticsearch elastic-stack-alerting	9	1574	September 15, 2017
Watcher not firing Kibana elastic-stack-alerting	2	408	July 27, 2021
Watcher issue (for real) Elasticsearch elastic-stack-alerting	7	881	July 6, 2017

How can I successfully debug a watcher? My watchers don't seem to do anything

Related topics