How to force elastic to make an and between should and filter (not an or query)

David_Michael_Gang · March 28, 2018, 6:21pm

Hi,
I want to get a message on all failed pods in the last 10 minutes.
What i am getting now is all the messages of the pods failed or messages in the last 10 minutes.
How can this be fixed. I tried to understand how i can apply the data from the documentation here but without success. Here is the json of my watcher.
Thanks a lot!

{
  "trigger": {
"schedule": {
  "interval": "5m"
}
  },
  "input": {
"search": {
  "request": {
    "search_type": "query_then_fetch",
    "indices": [
      "metricbeat-6.2.2-*"
    ],
    "types": [],
    "body": {
      "size": 0,
      "query": {
        "bool": {
          "should": [
            {
              "terms": {
                "kubernetes.pod.status.phase": [
                  "failed"
                ]
              }
            },
            {
              "terms": {
                "kubernetes.pod.status.ready": [
                  "failed"
                ]
              }
            }
          ],
          "filter": [
            {
              "range": {
                "@timestamp": {
                  "gte": "now-600s"
                }
              }
            }
          ]
            
        }
      }
    }
  }
}
  },
  "condition": {
"compare": {
  "ctx.payload.hits.total": {
    "gte": 2
  }
}
  },
  "actions": {
"my-logging-action": {
  "logging": {
    "level": "info",
    "text": "There are {{ctx.payload.hits.total}} messages that pods have problems."
  }
}
  }
}

David_Michael_Gang · March 28, 2018, 6:49pm

Update: This is a solution which worked for me:
The key was that bool can be nested in should and must. Somehow i did not get this when reading the documentation

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat-6.2.2-*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "bool": {
                    "should": [
                      {
                        "terms": {
                          "kubernetes.pod.status.phase": [
                            "failed"
                          ]
                        }
                      },
                      {
                        "terms": {
                          "kubernetes.pod.status.ready": [
                            "failed"
                          ]
                        }
                      }
                    ]
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-10m"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 2
      }
    }
  },
  "actions": {
    "my-logging-action": {
      "logging": {
        "level": "info",
        "text": "There are {{ctx.payload.hits.total}} messages that pods have problems."
      }
    }
  }
}

system · April 25, 2018, 6:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.