We're using elastic to analyze some voip call traffic and I'm trying to figure out how to use watcher to monitor some limits we'd like to impose.
So an example would be;
Send me an alert when a calling number makes more than X minutes of calls in a 24hr period. Each time a different calling number breaks that threshold, send me a new alert.
I can query for numbers that are breaking the limit using a combination of terms, sum and bucket_selector aggregation, and then transform that into a series of new documents which I can index.
But what I would like is to execute a webhook action for each of those new documents, and have the throttle period apply per doc. Is it possible to do this all in watcher?
If you write a document into an index for every number you alert on, you should be able to use a chained input to remove any users that have already been alerted on within the throttle period. There is simple example in GitHub that show an example of how to remove results from an initial result set using a chained input.
I'm storing new hits in an index and successfully using chained inputs to get the disjoint of new and old hits. This is working ok atm but I'm wondering how well it will scale if I have must_not.terms clause with hundreds or potentially thousands of entries
Also, is it possible to execute a webhook action for each document, like it is with the index action?
the webhook action only supports single HTTP requests. Maybe it would help if you send the watch results to logstash using the webook action (and an optional transform) and process it step by step there via a custom filter and the http input.
I found that http_method will only take a static string, so you can't pass the method to be used in and use a variable like %{method}, so if you wanted to support other methods you'd have to include a if/else block around the http {} output
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.