Hi,
I am trying to set up a watcher, which can trigger an email every hour giving the names of the applications and the number of times they have hit a particular response code - consider 404 response code in that 1 hour. This has to be one table ( showing top 10 applications ).
In the same email, I have to get the names of applications and number of times they have hit another response code - consider 500 response code in that 1 hour. This has to be another table. ( Showing top 10 applications based on number of times they hit that response code )
This has to be for multiple response codes . In a single email, I must get 3 tables which have the application names and number of times they have hit the response codes. ( like, 3 tables for 3 response codes )
I am able to write watcher for single response code. ( It will send me an email every hour with a table of top 10 applications and their number of hits of a particular response code).
This is the watcher query:
{
"trigger": {
"schedule": {
"interval": "60m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-60m",
"lte": "now"
}
}
},
{
"query_string": {
"query": "message: \"HTTP/1.1 404\"",
"analyze_wildcard": true
}
}
]
}
},
"aggs": {
"group_by_app_name": {
"terms": {
"script": {
"source": "doc['cf_app_name.keyword'] "
},
"size": 10
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"someone@somecompany.com"
],
"subject": "404 Report",
"body": {
"html": "These are the app(s) which hit 404 Response Code in last 1 hour: <br><br> <table><tr><th>AppName</th><th>Hits</th></tr>{{#ctx.payload.aggregations.group_by_app_name.buckets}} <tr><td> {{key}} </td><td> {{doc_count}} </td></tr> {{/ctx.payload.aggregations.group_by_app_name.buckets}}</table>"
}
}
}
}
}
The following is the output I get when I execute the above watcher:
These are the application(s) which hit 404 Response Code in the last 1 hour:
|AppName|Hits|
|---|---|
|App1 |78 |
|App2 |76 |
|App3 |62 |
|App4 |10 |
|App5 |9 |
|App6 |5 |
|App7 |5 |
|App8 |4 |
|App9 |4 |
|App10 |3|
[ I tried putting the exact table, but this is how I got after copy, pasting my table.]
I am also attaching the output which I get when I run the watcher:
{
"watch_id": "_inlined_",
"node": "5qy-C9IiRiKgyg0yTtPXOA",
"state": "executed",
"user": "some_person",
"status": {
"state": {
"active": true,
"timestamp": "2020-05-05T02:53:58.024Z"
},
"last_checked": "2020-05-05T02:53:58.024Z",
"last_met_condition": "2020-05-05T02:53:58.024Z",
"actions": {
"send_email": {
"ack": {
"timestamp": "2020-05-05T02:53:58.024Z",
"state": "ackable"
},
"last_execution": {
"timestamp": "2020-05-05T02:53:58.024Z",
"successful": true
},
"last_successful_execution": {
"timestamp": "2020-05-05T02:53:58.024Z",
"successful": true
}
}
},
"execution_state": "executed",
"version": -1
},
"trigger_event": {
"type": "manual",
"triggered_time": "2020-05-05T02:53:58.024Z",
"manual": {
"schedule": {
"scheduled_time": "2020-05-05T02:53:58.024Z"
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-60m",
"lte": "now"
}
}
},
{
"query_string": {
"query": "message: \"HTTP/1.1 404\"",
"analyze_wildcard": true
}
}
]
}
},
"aggs": {
"group_by_app_name": {
"terms": {
"script": {
"source": "doc['cf_app_name.keyword'] "
},
"size": 10
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"metadata": {
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2020-05-05T02:53:58.024Z",
"execution_duration": 1256,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 108,
"failed": 0,
"successful": 108,
"skipped": 0
},
"hits": {
"hits": [],
"total": 300,
"max_score": 0
},
"took": 1254,
"timed_out": false,
"aggregations": {
"group_by_app_name": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 23,
"buckets": [
{
"doc_count": 78,
"key": "App1"
},
{
"doc_count": 76,
"key": "App2"
},
{
"doc_count": 62,
"key": "App3"
},
{
"doc_count": 10,
"key": "App4"
},
{
"doc_count": 9,
"key": "App5"
},
{
"doc_count": 5,
"key": "App6"
},
{
"doc_count": 5,
"key": "App7"
},
{
"doc_count": 4,
"key": "App8"
},
{
"doc_count": 4,
"key": "App9"
},
{
"doc_count": 3,
"key": "App10"
}
]
}
}
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-60m",
"lte": "now"
}
}
},
{
"query_string": {
"query": "message: \"HTTP/1.1 404\"",
"analyze_wildcard": true
}
}
]
}
},
"aggs": {
"group_by_app_name": {
"terms": {
"script": {
"source": "doc['cf_app_name.keyword'] "
},
"size": 10
}
}
}
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": true,
"compare": {
"resolved_values": {
"ctx.payload.hits.total": 300
}
}
},
"actions": [
{
"id": "send_email",
"type": "email",
"status": "simulated",
"email": {
"message": {
"id": "send_email__inlined__dd8a1a02-8055-4171-9159-7465837b29c9-2020-05-05T02:53:58.024Z",
"sent_date": "2020-05-05T02:53:59.281Z",
"to": [
"someone@somecompany.com"
],
"subject": "404 Report",
"body": {
"html": "These are the app(s) which hit 404 HTTP Response Code in last 1 hour <br /><br /> <head></head><body> <table><tr><th>AppName</th><th>Hits</th></tr><tr><td> App1 </td><td> 78 </td></tr><tr><td> App2 </td><td> 76 </td></tr><tr><td> App3 </td><td> 62 </td></tr><tr><td> App4 </td><td> 10 </td></tr><tr><td> App5 </td><td> 9 </td></tr><tr><td> App6 </td><td> 5 </td></tr><tr><td> App7 </td><td> 5 </td></tr><tr><td> App8 </td><td> 4 </td></tr><tr><td> App9 </td><td> 4 </td></tr><tr><td> App10 </td><td> 3 </td></tr></table></body>"
}
}
}
}
]
},
"messages": []
}
I want this watcher to include all response codes ( like 3 tables for 3 response codes ), So that I can get a single email with consolidated report instead of multiple emails based on number of response codes to be searched for ( like 3 emails for 3 reponse codes ).
How can I accomplish this? If you can, please do not provide answer directing to official docs, as I have searched a lot of links for getting this watcher up and running. Any help is much appreciated. Thanks in Advance !!