How to write a watcher with match, term aggregation, and count?

Elastic Stack Elasticsearch
1

Hi,

I am using 6.5 GA stack. I use heartbeat to ping to 3 hosts like hosts: ["192.168.0.1:9092","192.168.0.2:9093","192.168.0.3:9094"] and push them to heartbeat index. Mapping can be found at http://freetexthost.com/ddx5am0udp because it is lengthy

I am trying out "features" to check if its worth buying a license, and dont know if it can satisfy my use case. I would like to know, if it is possible to send alert based on my conditions;

  1. monitor.status = down
  2. Watcher should run on every 2 minutes
  3. If count for any of the hosts is >= 3, then email alert should come

Somebody kindly help me to write query part of the rule? Below is my current config;

    "body": {
      "query": {
        "bool": {
          "filter": {
            "range": {
              "@timestamp": {
                "gte": "now-30s/s",
                "lte": "now/s",
                "format": "epoch_millis"
              }
            }
          },
          "must": {
            "match": {
              "monitor.status": "down"
            }
          }
        }
      },
      "size": 0,
      "aggs": {
        "termAgg": {
          "terms": {
            "field": "monitor.host"
          }
        }
      }
    }

Thanks

2

the query part looks good. I think the interesting part is the condition where you need to check if the doc_count in any of the buckets is greater than three - this basically means you need to go through each of the buckets and check for the doc_count field.

A good start for this could be the alerting examples in the examples repo

hope this helps!

3

Hi @spinscale it has so many files. Which one are you pointing to?

Thanks.

4

I suggest to go through the condition scripts of all the watches listed there, to get some more understanding.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.