Hi,
I have an event every minute stored in elastisearch.
I would like to monitor a field value. For example, if the field value increase by 10% in a timeframe, then an alert is triggered. Is it possible to do that with watcher ?
thank you for your help
--
Jeremy
It's possible, https://www.elastic.co/guide/en/watcher/current/watching-time-series-data.html has some basic info on it.
Thank you Mark for your quick response 
the example use the total hits in the condition. How to deal with field value change ? Compute the field value increase from older events ?
Hey,
your question is really broad and potentially hard to answer. If you mean by stateful, that it keeps previous watch executions in memory and compares former values from the responses, then the answer is no.
However, if you have an input in watcher that searches data, you can just search across several time windows (like the last 5 minutes and the last 5-10 minutes) and then compare those windows and check if the values of those time frames increased by 10% in a scripted condition.
I hope this helps, otherwise please refine your question and I'll try to answer
--Alex
thank you Alex, that's exactly what I would like to do
But how to search accros several time windows ? Do you have an example ?
thank you
Hey,
just search through this forum and you will see a bunch of watches with aggregations to get the basic idea. Searching for 'aggregations filters' should also help. The documentation for the filters agg should also help.
--Alex
Will do that thank you Alex
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.