Incorporating search query into watcher

alerting

(Stecino) #1

I have the following query:

{

"aggs": {
"1": {
"date_range": {
"field": "@timestamp",
"ranges": [
{
"from": "now-5m",
"to": "now"
}
]
}
}
},

"query" : {
"match": {
"access": {
"query": "ssl_req",
"type": "phrase"
}
}
}
}

when I execute this via curl

curl -XGET http://localhost:9201/<f5-{now%2Fd{YYYY.MM.dd}}>/_search?pretty -d

it returns me the result with the aggregation at the end

"aggregations" : {
"1" : {
"buckets" : [ {
"key" : "2017-05-18T21:04:37.303Z-2017-05-18T21:09:37.303Z",
"from" : 1.495141477303E12,
"from_as_string" : "2017-05-18T21:04:37.303Z",
"to" : 1.495141777303E12,
"to_as_string" : "2017-05-18T21:09:37.303Z",
"doc_count" : 2207
} ]
}
}
}

My questions are the following:

  1. How can I include the index name into my query, so it runs that same index all the time
  2. How can merge all this into a watcher
  3. How can I extract the doc_count and send out an email if it's > 0 in watcher

(Alexander Reelsen) #2

Hey,

please take the time to format your message properly. Otherwise it is really hard to read.

Also, you should take a look at the watcher documentation, which contains a very similar example for monitoring meetup.com data. You can check the documentation right here.

--Alex


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.