How to check only the documents with in the interval?

YuWatanabe · September 15, 2016, 11:13am

I want to check only the documents which was indexed within the interval of watcher execution but result.input.payload.hits.total is returning all the matched documents in the index matching the query.

My watcher definition is below.

PUT _xpack/watcher/watch/cpu_monitoring
{
  "metadata" : { 
    "color" : "red"
  },
  "trigger" : { 
    "schedule" : {
      "interval" : "1m"
    }
  },
  "input" : { 
    "search" : {
      "request" : {
        "indices" : "metricbeat-*",
        "body" : {
          "query" : {
            "bool" : {
              "must" : [
                {"match" : { "metricset.name" : "cpu" }},
                {"range" : { "system.cpu.idle.pct" : {"lte" : "0.97" } } }
              ]
            }
          }
        }
      }
    }
  },
  "condition" : { 
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : { 
    "email_administrator" : {
      "email" : {
        "to" : "root@localhost.localdomain",
        "subject" : "Encountered {{ctx.payload.hits.total}} errors",
        "body" : "Too many error in the system, see attached data",
        "attachments" : {
          "attached_data" : {
            "data" : {
              "format" : "json"
            }
          }
        },
        "priority" : "high"
      }
    }
  }
}

I appreciate if someone can help me how to fix my query.

spinscale · September 15, 2016, 12:58pm

Hey,

you need to add another filter to your must query that filters for time. Also you should use date math for correct index filtering.

See https://www.elastic.co/guide/en/elasticsearch/reference/2.4/common-options.html#date-math
and https://www.elastic.co/guide/en/watcher/2.4/transform.html#transform-search-template for an example how to filter by date.

--Alex

YuWatanabe · September 15, 2016, 9:40pm

Thanks @spinscale

I just figured out it too.

  "input" : { 
    "search" : {
      "request" : {
        "indices" : "metricbeat-*",
        "body" : {
          "query" : {
            "bool" : {
              "must" : [
                {"match" : { "metricset.name" : "cpu" }},
                {"range" : { "system.cpu.idle.pct" : {"lte" : "0.97" } } },
                {"range" : { "@timestamp" : {"gte" : "now-1m", "lte" : "now" } } }
              ]
            }
          }
        }
      }
    }
  },

Topic		Replies	Views
Watcher search for feild value in last 1mins Elasticsearch elastic-stack-alerting	2	1039	July 6, 2017
Create a simple frequency based alert using Watcher Elasticsearch elastic-stack-alerting	6	1886	September 17, 2018
Watcher Timestamp showing in EPOCH Elasticsearch elastic-stack-alerting	4	905	October 1, 2021
How watcher query the elasticsearch based on time interval Elasticsearch	1	426	July 5, 2017
Ensure that watcher does not miss documents (logs) Elasticsearch elastic-stack-alerting	5	2888	May 23, 2018

How to check only the documents with in the interval?

Related topics