How to trade on a value in Watcher - Elasticsearch

Elastic Stack Elasticsearch
1

Hi,

I have the following watcher:
{ "trigger": { "schedule": { "interval": "1m" } }, "input": { "search": { "request": { "search_type": "query_then_fetch", "indices": [ "metricbeat-*" ], "rest_total_hits_as_int": true, "body": { "size": 0, "query": { "bool": { "must": [ { "range": { "system.cpu.total.norm.pct": { "gte": 0.8 } } } ], "filter": { "range": { "@timestamp": { "gte": "now-1m" } } } } }, "aggs": { "servidores": { "terms": { "field": "host.hostname" }, "aggs": { "max_cpu": { "max": { "field": "system.cpu.total.norm.pct" } }, "avg_cpu": { "avg": { "field": "system.cpu.total.norm.pct" } } } } } } } } }, "condition": { "compare": { "ctx.payload.hits.total": { "gt": 0 } } }, "actions": { "send_email": { "throttle_period_in_millis": 300000, "condition": { "compare": { "ctx.payload.hits.total": { "gt": 0 } } }, "email": { "profile": "standard", "to": [ "<emailtest@hotmail.com>" ], "subject": "[elastic] Warning Incident started: Alert - High CPU consumption - Machines > 80% ", "body": { "html": " <h3> Machines with CPU over 80%</h3>\n <ul>\n {{#ctx.payload.aggregations.servidores.buckets}} \n <li> {{key}} {{cpu_max.value}}%</li>\n {{/ctx.payload.aggregations.servidores.buckets}}\n </ul>" } } } } }

The following image shows how the data is arriving in the mail:
2019-12-19

As you can see the values ​​are shown as decimals. What I want is to see them in percentages for example: 94.20%, 86.5%, 83.8%, 99.3% rounded to two digits.

I have tried to implement it using the following:
"transform":{
"script": "return: [cputest:system.cpu.total.norm.pct]"
}

But it shows me an error in the syntax of the query.

I hope you can help me.

Regards.

2

you need to specify ctx.payload as prefix to access anything in the payload. The way to go here would be to loop through the aggregation buckets in the payload and the convert them to two digit percentages.

Take a look at this example

POST _xpack/watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "10h"
      }
    },
    "input": {
      "simple": {
        "numbers": [
          {
            "value": 45.3443453
          },
          {
            "value": 12
          },
          {
            "value": 66.477
          }
        ]
      }
    },
    "actions": {
      "logme": {
        "transform" : {
          "script" : """
def df = new DecimalFormat("#.##");
return ['numbers' : ctx.payload.numbers.stream().map(n -> df.format(n.value)).collect(Collectors.toList()) ];
"""
        },
        "logging": {
          "text": "{{ctx.payload}}"
        }
      }
    }
  }
}
3

Hi Alex

This is my new code:
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"system.cpu.total.norm.pct": {
"gte": 0.8
}
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-1m"
}
}
}
}
},
"aggs": {
"servidores": {
"terms": {
"field": "host.hostname"
},
"aggs": {
"max_cpu": {
"max": {
"field": "system.cpu.total.norm.pct"
}
},
"avg_cpu": {
"avg": {
"field": "system.cpu.total.norm.pct"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"throttle_period_in_millis": 300000,
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"email": {
"profile": "standard",
"to": [
"emailtest@hotmail.com"
],
"subject": "[elastic] Warning Incident started: Alerta - Alto consumo de CPU - Maquinas > 80% ",
"body": {
"html": "

Maquinas con CPU superior a 80%

\n
    \n {{#ctx.payload.aggregations.servidores.buckets}} \n
  • {{key}} {{test}}
    • \n {{/ctx.payload.aggregations.servidores.buckets}}\n
"
}
}
}
},
"transform": {
"script": {
"source": "def df = new DecimalFormat('#.##');return ['test' : ctx.payload.system.cpu.total.norm.pct.stream().map(n -> df.format(n.value)).collect(Collectors.toList()) ];",
"lang": "painless"
}
}
}

But it shows me the following error:

imagen
imagen694×604 40.2 KB

4

please share the complete output of the execute watch API.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.