In my Elastic Watcher , Unable to get system.cpu.user.norm.pct value in percentage

sonirajil · October 16, 2023, 1:26pm

I am newbie to Painless , In my watch , I want to get system.cpu.user.norm.pct value in percentage not actual value (i.e. currently I am getting 0.90 for 90%) for which I need to multiply by 100 which I am unable to do successfully after lot and lot of trials I am seeking help here in this forum .
I am getting quite a intuitive error which I am not able to solve .

        "caused_by": {
          "type": "class_cast_exception",
          "reason": "Cannot apply [*] operation to types [java.lang.String] and [java.lang.Integer]."
        }
      }
    },
    "actions": []
  },
  "messages": [
    "failed to execute watch transform"

and below is my full watch code :
(I used for loop to create an individual mail for each instance of threshold breach as per requirement)

{
  "trigger": {
    "schedule": {
      "interval": "2m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat-new*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "wildcard": {
                    "tags": {
                      "value": "test-qa-machine"
                    }
                }
                },
                {
                  "match": {
                    "event.dataset": "system.cpu"
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "hostname": {
              "terms": {
                "field": "agent.hostname",
                "size": 1000
              },
              "aggs": {
                "avg_cpu": {
                  "avg": {
                    "field": "system.cpu.user.norm.pct"
                  }
                },
                "avg_cpu_bucket_filter": {
                  "bucket_selector": {
                    "buckets_path": {
                      "avgcpu": "avg_cpu"
                    },
                    "script": "params.avgcpu > 0.10"
                  }
                },
                "sort_by_hostname": {
                  "bucket_sort": {
                    "sort": [
                      {
                        "avg_cpu": {
                          "order": "desc"
                        }
                      }
                    ]
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.aggregations.hostname.buckets.0.doc_count": {
        "gt": 0
      }
    }
  },
 "transform": {
	"script": {
      "source": "return ['avg_cpu_percent': params.avgcpu * 100]",
      "lang": "painless",
      "params": {
        "avgcpu": "ctx.payload.aggregations.hostname.buckets[0].avg_cpu.value"
      }
    }
  },
  "actions": {
    "foreach_bucket": {
      "foreach": "ctx.payload.aggregations.hostname.buckets",
      "max_iterations": 10,
      "email": {
        "profile": "standard",
        "from": "elk@noreply.com",
        "to": [
          "rajil@abc.com"
        ],
        "subject": "Alert: High CPU usages for Host : {{ctx.payload.key}}",
        "body": {
          "text": """ CPU usage is greater than Threshold value (95%). Please investigate. 
                      Hostname: {{ctx.payload.key}} 
                      CPU Usage: {{ctx.payload.avg_cpu_percent}}% """
        }
      }
    }
  }
}

sonirajil · October 18, 2023, 1:16pm

Please help here.

system · November 15, 2023, 1:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.