Kibana Watcher Advanced query is not working as expected

fredrick.bb · October 28, 2020, 8:42pm

Hello

I'm finding hard time to have working query to execute Kibana Watcher. I feel my condition and query is correct but it didn't execute as per the condition. Could you confirm what is wrong in this?

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "*Index*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 1,
          "query": {
            "bool": {
              "must": [],
              "filter": [
                {
                  "bool": {
                    "filter": [
                      {
                        "bool": {
                          "should": [
                            {
                              "match": {
                                "APPLICATION_NAME": "order"
                              }
                            }
                          ],
                          "minimum_should_match": 1
                        }
                      },
                      {
                        "bool": {
                          "filter": [
                            {
                              "bool": {
                                "should": [
                                  {
                                    "match": {
                                      "PARTITION": 3
                                    }
                                  }
                                ],
                                "minimum_should_match": 1
                              }
                            },
                            {
                              "bool": {
                                "should": [
                                  {
                                    "match_phrase": {
                                      "message": "orderXmlReceived"
                                    }
                                  }
                                ],
                                "minimum_should_match": 1
                              }
                            },
                            {
                              "range": {
                                "@timestamp": {
                                  "lte": "now-5m/m"
                                }
                              }
                            }
                          ]
                        }
                      }
                    ]
                  }
                }
              ],
              "should": [],
              "must_not": []
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "eq": 0
      }
    }
  },
  "actions": {
    "email_administrator": {
      "throttle_period_in_millis": 900000,
      "email": {
        "profile": "standard",
        "priority": "high",
        "to": [
          "myemail@gmail.com"
        ],
        "subject": "Order Partition 0 ",
        "body": {
          "text": "Please check with support team"
        }
      }
    }
  }
}

Iker · October 29, 2020, 6:11am

A couple things in your watcher.

The range for the filter if pretty deep in the query, try with it at the base, correct me if i'm wrong but I think that you try to use "gte" instead of ""lte", otherwise you are going to receive a lot of notifications.
The condition fires when there is no documents that match the conditions, with your query there is the possibility that never happens (Cause you are using lte).

fredrick.bb · October 29, 2020, 2:41pm

Thanks for you response @Iker .

My requirement itself, on those three fields for a given period of time in the given indices if there are no documents found, then email action should be triggered.

In my case the same code when I change condition from 'eq' to 'gte' It triggered email which is fine because there were documents. Which confirmed that my condition worked.
But during the real crisis time, when I check 'eq' : 0 and for no document It didn't trigger action.

I have given range as below, which means it should check past 5 mins from now.
"range": {
"@timestamp": {
"lte": "now-5m/m"
}
}
During the crisis, the watcher didn't trigger the action. Where can go and see the time range of search in the result json.

Iker · October 29, 2020, 3:31pm

To check for no documents with eq:0 you have to use gte, because the range that you specifies, checks All the documents with timestamp less than or equal to now-5m, so always is gonna be some documents, it checks from the start of the universe to now-5m, use "gte": "now-5m" to check for the last past five minutes

fredrick.bb · October 30, 2020, 1:42pm

Thanks @Iker. Above solution fixed my problem

system · November 27, 2020, 1:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Query that parses and works fine in ES, fails to parse/work in Watcher Kibana elastic-stack-alerting	3	530	April 15, 2019
Kibana watcher search results restricted to 10 Kibana	5	1391	September 21, 2018
Create advance watcher Elasticsearch	2	585	January 9, 2020
Create Kibana Watcher alerts for certain conditions Kibana	4	450	May 1, 2020
Kibana watcher alert error Elasticsearch elastic-stack-alerting	2	615	August 29, 2019

Kibana Watcher Advanced query is not working as expected

Related topics