How to set watcher condition when aggregations doc_count greater then a value

hanase · July 23, 2020, 6:10am

Hi,

I search heartbeat-* indices when status is down and want to send message to telegram

My DSL is ,

GET heartbeat-7.7.0*/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "monitor.status": "down"
          }
        }
      ],
      "filter": [
        {
          "range": {
            "@timestamp": {
              "gt": "now-5m"
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "alert": {
      "terms": {
        "field": "monitor.name"
      }
    }
  }
}

And aggregations result is

"aggregations" : {
    "alert" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "BC_Video_alert(BC)",
          "doc_count" : 990
        },
        {
          "key" : "AB_Video",
          "doc_count" : 5
        },
        {
          "key" : "SP_sport_alert(SABA)",
          "doc_count" : 2
        }
      ]
    }
  }

Is it passable to use watcher condition syntax, when aggregations.buckets.doc_count greater then a value

like syntax below, (but i don't know what correct syntax is)

ctx.payload.aggregations.buckets.doc_count > 20

then do some actions

thank you

spinscale · July 23, 2020, 7:49am

you can do that, but a workaround might be to specify min_doc_count in the terms aggregation and then check for ctx.payload.aggregations.alert.buckets.size > 0

hanase · July 23, 2020, 9:31am

Thank you Alexander

I fix the DSL syntax and it works !!

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 5,
          "track_total_hits": true,
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "monitor.status": "down"
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gt": "now-5m",
                      "time_zone": "+08:00"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "alert": {
              "terms": {
                "field": "monitor.name",
                "min_doc_count": 5
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "return ctx.payload.aggregations.alert.buckets.size() > 0",
      "lang": "painless"
    }
  },
  "actions": {
    "my_webhook": {
      "webhook": {
        "scheme": "https",
        "host": "api.telegram.org"
~~~~~

system · August 20, 2020, 9:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher - how to set the doc_values condition for a query with a filter terms aggregation. (Detect lack of logs per hostname - use case) Elasticsearch elastic-stack-alerting , painless	3	816	November 12, 2021
Watcher condition against buckets Elasticsearch elastic-stack-alerting	2	462	July 19, 2021
How to write a watcher with match, term aggregation, and count? Elasticsearch elastic-stack-alerting	4	2088	December 31, 2018
Watcher - Write painless script for looping aggregated buckets Elasticsearch elastic-stack-alerting , painless	3	1073	January 18, 2023
Watcher Alert Condition Elasticsearch elastic-stack-monitoring , elastic-stack-alerting	4	392	August 18, 2020

How to set watcher condition when aggregations doc_count greater then a value

Related topics