Hello,
I am wondering if it is possible to include all hosts that have met the condition set in the watcher in one email? I would like to send my clients a list of devices that have met the condition once a day.
Here is my config so far:
{
"trigger": {
"schedule": {
"interval": "24h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"poller-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"sort": [
{
"timestamp": {
"order": "desc"
}
}
],
"query": {
"bool": {
"must": [
{
"wildcard": {
"host": {
"value": "device_*"
}
}
},
{
"range": {
"timestamp": {
"gte": "now-1d",
"lte": "now"
}
}
}
]
}
},
"aggs": {
"host": {
"terms": {
"field": "host.keyword",
"size": 10000
},
"aggs": {
"inErrors": {
"sum": {
"field": "inErrors"
}
},
"in_errors": {
"bucket_script": {
"buckets_path": {
"var1": "inErrors"
},
"script": "if (params.var1 > 0) { return(params.var1) } else{ return(0)}"
}
},
"outErrors": {
"sum": {
"field": "outErrors"
}
},
"out_errors": {
"bucket_script": {
"buckets_path": {
"var1": "outErrors"
},
"script": "if (params.var1 > 0) { return(params.var1)} else{ return(0)}"
}
},
"inDiscards": {
"sum": {
"field": "inDiscards"
}
},
"in_Discards": {
"bucket_script": {
"buckets_path": {
"var1": "inDiscards"
},
"script": "if (params.var1 > 0) { return(params.var1)} else{ return(0)}"
}
},
"outDiscards": {
"sum": {
"field": "outDiscards"
}
},
"out_Discards": {
"bucket_script": {
"buckets_path": {
"var1": "outDiscards"
},
"script": "if (params.var1 > 0) { return(params.var1)} else{ return(0)}"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.host.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i].in_Discards.value == params.threshold || arr[i].out_Discards.value == params.threshold || arr[i].out_errors.value == params.threshold || arr[i].in_errors.value == params.threshold) { return true; } } return false;",
"lang": "painless",
"params": {
"threshold": 0
}
}
},
"actions": {
"send_email": {
"foreach": "ctx.payload.results",
"throttle_period_in_millis": 1800000,
"email": {
"profile": "standard",
"to": [
"***********@************"
],
"subject": "Alert {{ctx.result.total}} Devices With Discards/Errors",
"body": {
"text": """ The Device: {{ctx.payload.key}} Had:
{{ctx.payload.in_errors}} In Errors.
"""
}
}
}
},
"transform": {
"script": {
"source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.host.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.in_Discards = arr[i].in_Discards.value; filteredHit.out_Discards = arr[i].out_Discards.value; filteredHit.in_errors = arr[i].in_errors.value; filteredHit.out_errors = arr[i].out_errors.value; if (filteredHit.in_Discards == params.threshold || filteredHit.out_Discards == params.threshold || filteredHit.in_errors == params.threshold || filteredHit.out_errors == params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
"lang": "painless",
"params": {
"threshold": 0
}
}
}
}
Any help would be greatly appreciated!