How to show the beat.hostname in watcher notificaiton

Elastic Stack Elasticsearch
1

Hi,
I am trying to create a watch for monitoring the system metrics ( for e.g load, Memory or disk usage) and send notifications when certain threshold is breached along with the beatname details.

Currently have the below watch script which is working but not showing up the server name. So looking for your help ..

PUT _xpack/watcher/watch/system-load-used-alert/
{
"trigger": {
"schedule": {
"interval" : "10s"
}
},
"input" : {
"search" : {
"request" : {
"search_type": "query_then_fetch",
"indices" : [
"cadopsxlr-{now/d}"
],
"types":[],
"body": {
"size": 0,
"query": {
"range":{
"system.load.1":{
"gt":"4.0"
}
}
}
}

  }
}

},
"condition" : {
"compare" : {
"ctx.payload.hits.total" : {
"gt" : "0"
}
}
},
"actions": {
"log": {
"throttle_period": "15m",
"logging": {
"level": "INFO",
"text": "****High system load noticed on server {{XYZ}} *** "
}
}
}
}

2

Hey,

this is not a question about watcher, but merely about how to write a query, that also includes such information. For this concrete example you will need an aggregation, that will count the occurence of each beat.hostname value in the documents that match. For this you do need a terms aggregation. You can check out the documentation over here. Once you got this aggregation right, you can loop through the array of returned buckets and use each found hostname in the bucket. You might want to check out the mustache docs for this https://mustache.github.io/mustache.5.html

In addition you could use the join mustache operator, that joins together an array of values, see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/search-template.html#_concatenating_array_of_values (that requires a transform before that using though, so you should start slowly).

If you dont prefer reading all those docs and you want to dive right in, checking out some example watches might make sense as well, see here https://github.com/elastic/examples/tree/master/Alerting

--Alex

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.