Kibana X-Pack Watcher Problem

cemkuleyin · 2018-11-30 14:33:41 UTC

Hi everyone,

We want to subscribe xpack. Before the subscribe, we are testing it.

Our case,

we have a field of process status, we want to fired alarm for success rate. In field, "COMPLETE_SUCCESS" and "AUTHENTICATION_INIT" Our formula, count(COMPLETE_SUCCESS)/count(authentication_init).

Can you explain json format.

bryan_stuhlsatz · 2018-12-02 06:01:01 UTC

Json is a file format. You need to put your trigger, input, condition, etc, in that format for the watcher to execute. https://www.elastic.co/guide/en/x-pack/current/how-watcher-works.html

cemkuleyin · 2018-12-03 07:17:06 UTC

thanks for reply.

I create some part of alert. But i dont create condition. i have a two search, first and second. i want to calculate first/second (percentage) < 50% .

Can you examine this condition?

Kind Regards,

Cem

"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"chain": {
"inputs": [
{
"first": {
"search": {
"request": {
"indices": [
"graylog*"
],
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"ctxt_page_name": "Thank You"
}
},
{
"range": {
"timestamp": {
"from": "now-5m",
"to": "now"
}
}
}
]
}
}
}
}
}
}
},
{
"second": {
"search": {
"request": {
"indices": [
"graylog*"
],
"types": ,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"ctxt_page_name": "Payment"
}
},
{
"range": {
"timestamp": {
"from": "now-5m",
"to": "now"
}
}
}
]
}
}
}
}
}
}
}
]
}
},
"condition": {
"script": {
"source": "return ((ctx.payload.first.hits.total / ctx.payload.second.hits.total)*100) < 50",
"lang": "painless"
}
},
"actions": {
"email_users": {
"email": {
"profile": "standard",
"attachments": {
"copy_of_search_results.txt": {
"data": {
"format": "json"
}
}
},
"priority": "high",
"to": [
"cem.kuleyin@enuygun.com"
],
"subject": "ELASTIC STACK ALERT: Payment processing issues in Application!",
"body": {
"html": "--Alerts Notification Details--
This alert triggered because a total of {{ctx.payload.first.hits.total}} timeout logs and {{ctx.payload.second.hits.total}} payment approvals were found in the application within the last ten minutes!

ALERT NAME: {{ctx.watch_id}}
Link to Kibana Dashboard: https://your.secure.link.here"
}
}
}
},
"throttle_period": "1h"
}

cemkuleyin · 2018-12-04 11:11:24 UTC

@bryan_stuhlsatz . please can you help me?

bryan_stuhlsatz · 2018-12-05 05:42:46 UTC

Sorry, you don't explain your problem. At first, you state "Can you explain Json?" Now you have your watcher rule, and say "can you help me?" Please state the problem you are having.

cemkuleyin · 2018-12-10 12:02:33 UTC

im sorry. In our json, we are calculating two state, (first and second) i want to calculate first/second for alert. But i cannot calculate it.

is it enough for you? @bryan_stuhlsatz