Kibana X-Pack Watcher Problem

cemkuleyin · November 30, 2018, 2:33pm

Hi everyone,

We want to subscribe xpack. Before the subscribe, we are testing it.

Our case,

we have a field of process status, we want to fired alarm for success rate. In field, "COMPLETE_SUCCESS" and "AUTHENTICATION_INIT" Our formula, count(COMPLETE_SUCCESS)/count(authentication_init).

Can you explain json format.

bryan_stuhlsatz · December 2, 2018, 6:01am

Json is a file format. You need to put your trigger, input, condition, etc, in that format for the watcher to execute. https://www.elastic.co/guide/en/x-pack/current/how-watcher-works.html

cemkuleyin · December 3, 2018, 7:17am

thanks for reply.

I create some part of alert. But i dont create condition. i have a two search, first and second. i want to calculate first/second (percentage) < 50% .

Can you examine this condition?

Kind Regards,

Cem

"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"chain": {
"inputs": [
{
"first": {
"search": {
"request": {
"indices": [
"graylog*"
],
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"ctxt_page_name": "Thank You"
}
},
{
"range": {
"timestamp": {
"from": "now-5m",
"to": "now"
}
}
}
]
}
}
}
}
}
}
},
{
"second": {
"search": {
"request": {
"indices": [
"graylog*"
],
"types": ,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"ctxt_page_name": "Payment"
}
},
{
"range": {
"timestamp": {
"from": "now-5m",
"to": "now"
}
}
}
]
}
}
}
}
}
}
}
]
}
},
"condition": {
"script": {
"source": "return ((ctx.payload.first.hits.total / ctx.payload.second.hits.total)*100) < 50",
"lang": "painless"
}
},
"actions": {
"email_users": {
"email": {
"profile": "standard",
"attachments": {
"copy_of_search_results.txt": {
"data": {
"format": "json"
}
}
},
"priority": "high",
"to": [
"cem.kuleyin@enuygun.com"
],
"subject": "ELASTIC STACK ALERT: Payment processing issues in Application!",
"body": {
"html": "--Alerts Notification Details--
This alert triggered because a total of {{ctx.payload.first.hits.total}} timeout logs and {{ctx.payload.second.hits.total}} payment approvals were found in the application within the last ten minutes!

ALERT NAME: {{ctx.watch_id}}
Link to Kibana Dashboard: https://your.secure.link.here"
}
}
}
},
"throttle_period": "1h"
}

cemkuleyin · December 4, 2018, 11:11am

@bryan_stuhlsatz . please can you help me?

bryan_stuhlsatz · December 5, 2018, 5:42am

Sorry, you don't explain your problem. At first, you state "Can you explain Json?" Now you have your watcher rule, and say "can you help me?" Please state the problem you are having.

cemkuleyin · December 10, 2018, 12:02pm

im sorry. In our json, we are calculating two state, (first and second) i want to calculate first/second for alert. But i cannot calculate it.

is it enough for you? @bryan_stuhlsatz

system · January 7, 2019, 12:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.