Math in watch email

Elastic Stack Elasticsearch
1

Hello,

I want to do math in my watcher, but i am not able to do it.

I have already configured a watcher, that works as it should but the output in the email (ctx.payload.result) looks like this:
16.236

Is it possible to do math on the value of ctx.payload.result ? something like "ctx.payload.result / 1024" ?

here are my watcher settings:

{
  "watch" : {
    "trigger" : {
      "schedule" : {
        "interval" : "15m"
      }
    },
    "input" : {
      "search" : {
        "request" : {
          "search_type" : "query_then_fetch",
          "indices" : [
            "test-*"
          ],
          "rest_total_hits_as_int" : true,
          "body" : {
            "size" : 0,
            "query" : {
              "bool" : {
                "filter" : {
                  "range" : {
                    "@timestamp" : {
                      "gte" : "{{ctx.trigger.scheduled_time}}||-8m",
                      "lte" : "{{ctx.trigger.scheduled_time}}",
                      "format" : "strict_date_optional_time||epoch_millis"
                    }
                  }
                }
              }
            },
            "aggs" : {
              "metricAgg" : {
                "sum" : {
                  "field" : "bytes"
                }
              }
            }
          }
        }
      }
    },
    "condition" : {
      "script" : {
        "source" : "if (ctx.payload.aggregations.metricAgg.value > params.threshold) { return true; } return false;",
        "lang" : "painless",
        "params" : {
          "threshold" : 300000000
        }
      }
    },
    "transform" : {
      "script" : {
        "**source" : "ctx.payload.result = ctx.payload.result / 1024 ; return ctx.payload.result**",
        "lang" : "painless"
      }
    },
    "actions" : {
      "email_1" : {
        "email" : {
          "profile" : "standard",
          "to" : [
            "my-email@test.com"
          ],
          "subject" : "Watch [{{ctx.metadata.name}}] has exceeded the threshold",
          "body" : {
            "text" : "{{ctx.payload.result}}"
          }
        }
      }
    },
    "metadata" : {
      "name" : "traffic-test",
      "watcherui" : {
        "trigger_interval_unit" : "m",
        "agg_type" : "sum",
        "time_field" : "@timestamp",
        "trigger_interval_size" : 15,
        "term_size" : 5,
        "time_window_unit" : "m",
        "threshold_comparator" : ">",
        "term_field" : null,
        "index" : [
          "test-*"
        ],
        "time_window_size" : 8,
        "threshold" : 300000000,
        "agg_field" : "bytes"
      },
      "xpack" : {
        "type" : "threshold"
      }
    }
  }
}

Maybe someone can help me.

Best regards

2

two things

First, ctx.payload.result is not set in the payload of a search response. specify a field that exists.

Second, division in painless works like division in java, which means diving two integers will result in an integer, that might not be what you want.

One last link: This is a lengthy blog post about debugging and writing watches, whicih might help you to understand what is in a payload and how to reduce your feedback loop: https://www.elastic.co/blog/watching-the-watches-writing-debugging-and-testing-watches

hope this helps!

3

finally i read the blog post and i still dont understand how i can do math in my watcher.

you already said, that i cant do math on the ctx.payload.result.

Can you give me some example, how to configure the output (doing math like /1024).

Best regards

4

I have not said you cannot do math. I said, you can only do this in fields that exist, and the one you showed did not exist.

in general ctx.payload.whatever.field.you.got.that.exists/1024 is the right approach. Sorry if that wasn't clear.

5

ah okey, now i understand, why math is not working.

I would be pleased, if you can assist me to get this running. The documentation did not help me that much in my case.

my field should be one of this:
-bytes
-ctx.payload.aggregations.metricAgg.value

"condition" : {
"script" : {
"source" : "if (ctx.payload.aggregations.metricAgg.value > params.threshold) { return true; } return false;",
"lang" : "painless",
"params" : {
"threshold" : 300000000
}
}
}"transform" : {
"script" : {
"source" : "HashMap result = new HashMap(); result.result = ctx.payload.aggregations.metricAgg.value; return result;",
"lang" : "painless",
"params" : {
"threshold" : 300000000
}
}
}

"metadata" : {
"name" : "traffic-test",
"watcherui" : {
"trigger_interval_unit" : "m",
"agg_type" : "sum",
"time_field" : "@timestamp",
"trigger_interval_size" : 15,
"term_size" : 5,
"time_window_unit" : "m",
"threshold_comparator" : ">",
"term_field" : null,
"index" : [
"filebeat-*"
],
"time_window_size" : 8,
"threshold" : 300000000,
"agg_field" : "bytes"
},
"xpack" : {
"type" : "threshold"
}
}

here is my {{ctx}} output:

{metadata={name=traffic-test, watcherui={trigger_interval_unit=m, agg_type=sum, time_field=@timestamp, trigger_interval_size=15, term_size=5, time_window_unit=m, threshold_comparator=>, term_field=null, index=[filebeat-*], time_window_size=8, threshold=300000000, agg_field=bytes}, xpack={type=threshold}}, watch_id=inlined, payload={result=4.982547966E9}, id=_inlined__400e29e7-51b5-4203-a713-5e4c3fcabd45-2019-10-07T07:14:42.610873Z, trigger={triggered_time=2019-10-07T07:14:42.610Z, scheduled_time=2019-10-07T07:14:42.610Z}, vars={}, execution_time=2019-10-07T07:14:42.610873Z}

The next step is to define a field in the ctx output and do math on that field ? Neither bytes, agg_field nor ctx.payload.aggregations.metricAgg.value is working :confused:

6

See this

You overwrite the existing payload with the result of the computation, thus the aggregations part is missing. A transform replaces the existing payload. If you want to add another field, then you can do something like this

ctx.payload.result = 1234;
return ctx.payload;

which enriches the payload.

--Alex

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.