How to trade on a value in Watcher - Elasticsearch

vbryandc · December 19, 2019, 9:19pm

Hi,

I have the following watcher:
{ "trigger": { "schedule": { "interval": "1m" } }, "input": { "search": { "request": { "search_type": "query_then_fetch", "indices": [ "metricbeat-*" ], "rest_total_hits_as_int": true, "body": { "size": 0, "query": { "bool": { "must": [ { "range": { "system.cpu.total.norm.pct": { "gte": 0.8 } } } ], "filter": { "range": { "@timestamp": { "gte": "now-1m" } } } } }, "aggs": { "servidores": { "terms": { "field": "host.hostname" }, "aggs": { "max_cpu": { "max": { "field": "system.cpu.total.norm.pct" } }, "avg_cpu": { "avg": { "field": "system.cpu.total.norm.pct" } } } } } } } } }, "condition": { "compare": { "ctx.payload.hits.total": { "gt": 0 } } }, "actions": { "send_email": { "throttle_period_in_millis": 300000, "condition": { "compare": { "ctx.payload.hits.total": { "gt": 0 } } }, "email": { "profile": "standard", "to": [ "<emailtest@hotmail.com>" ], "subject": "[elastic] Warning Incident started: Alert - High CPU consumption - Machines > 80% ", "body": { "html": " <h3> Machines with CPU over 80%</h3>\n <ul>\n {{#ctx.payload.aggregations.servidores.buckets}} \n <li> {{key}} {{cpu_max.value}}%</li>\n {{/ctx.payload.aggregations.servidores.buckets}}\n </ul>" } } } } }

The following image shows how the data is arriving in the mail:
2019-12-19

As you can see the values are shown as decimals. What I want is to see them in percentages for example: 94.20%, 86.5%, 83.8%, 99.3% rounded to two digits.

I have tried to implement it using the following:
"transform":{
"script": "return: [cputest:system.cpu.total.norm.pct]"
}

But it shows me an error in the syntax of the query.

I hope you can help me.

Regards.

spinscale · December 20, 2019, 9:30am

you need to specify ctx.payload as prefix to access anything in the payload. The way to go here would be to loop through the aggregation buckets in the payload and the convert them to two digit percentages.

Take a look at this example

POST _xpack/watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "10h"
      }
    },
    "input": {
      "simple": {
        "numbers": [
          {
            "value": 45.3443453
          },
          {
            "value": 12
          },
          {
            "value": 66.477
          }
        ]
      }
    },
    "actions": {
      "logme": {
        "transform" : {
          "script" : """
def df = new DecimalFormat("#.##");
return ['numbers' : ctx.payload.numbers.stream().map(n -> df.format(n.value)).collect(Collectors.toList()) ];
"""
        },
        "logging": {
          "text": "{{ctx.payload}}"
        }
      }
    }
  }
}

vbryandc · December 20, 2019, 4:49pm

Hi Alex

This is my new code:
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"system.cpu.total.norm.pct": {
"gte": 0.8
}
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-1m"
}
}
}
}
},
"aggs": {
"servidores": {
"terms": {
"field": "host.hostname"
},
"aggs": {
"max_cpu": {
"max": {
"field": "system.cpu.total.norm.pct"
}
},
"avg_cpu": {
"avg": {
"field": "system.cpu.total.norm.pct"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"throttle_period_in_millis": 300000,
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"email": {
"profile": "standard",
"to": [
"emailtest@hotmail.com"
],
"subject": "[elastic] Warning Incident started: Alerta - Alto consumo de CPU - Maquinas > 80% ",
"body": {
"html": "

Maquinas con CPU superior a 80%

\n

#ctx

{{key}} {{test}}

"
}
}
}
},
"transform": {
"script": {
"source": "def df = new DecimalFormat('#.##');return ['test' : ctx.payload.system.cpu.total.norm.pct.stream().map(n -> df.format(n.value)).collect(Collectors.toList()) ];",
"lang": "painless"
}
}
}

But it shows me the following error:

spinscale · January 8, 2020, 10:09am

please share the complete output of the execute watch API.

system · February 5, 2020, 10:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to update the field via Painless Scripting in a Watcher rule Elasticsearch elastic-stack-alerting	4	3525	January 17, 2017
Want System memory usage to be come in Percentile form Elasticsearch elastic-stack-alerting	4	1007	July 6, 2018
Watcher, action transform, Help getting "value" from this response Elasticsearch elastic-stack-alerting	3	1063	October 6, 2017
Unable to modify values from Payload Elasticsearch elastic-stack-alerting	2	552	May 21, 2018
How to express Watcher condition on a field which has a numeric key (which has a decimal point in it)? Elasticsearch elastic-stack-alerting	6	2109	July 6, 2017

How to trade on a value in Watcher - Elasticsearch

Maquinas con CPU superior a 80%

Related topics