Metrics aggregation query

rj23495 · September 30, 2019, 8:34am

Hi,
I have an ELK pipeline to read logs and capture metrics, now i am unable to figure out the following statement or query the datapoints for the ELK watcher,
metric_x >= 500 for 5 datapoints within 5 minutes with statistic "maximum", what should be my query in watcher input and condition, currently i have the following attached condition -
@spinscale @felixbarny

   {
          "trigger": {
            "schedule": {
              "interval": "1m"
            }
          },
          "input": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "prod-dash-*"
                ],
                "types": [],
                "body": {
                  "size": 0,
                  "query": {
                    "bool": {
                      "filter": {
                        "range": {
                          "@timestamp": {
                            "gte": "{{ctx.trigger.scheduled_time}}||-3m",
                            "lte": "{{ctx.trigger.scheduled_time}}",
                            "format": "strict_date_optional_time||epoch_millis"
                          }
                        }
                      }
                    }
                  },
                  "aggs": {
                    "metricAgg": {
                      "sum": {
                        "field": "metric_xxxx"
                      }
                    }
                  }
                }
              }
            }
          },
          "condition": {
            "always": {}
          },
          "actions": {
            "pagerduty": {
              "throttle_period_in_millis": 1800000,
              "condition": {
                "script": {
                  "source": "if (ctx.payload.aggregations.metricAgg.value > params.threshold) { return true; } return false;",
                  "lang": "painless",
                  "params": {
                    "threshold": 4
                  }
                }
              },
              "webhook": {
                "scheme": "https",
                "host": "events.pagerduty.com",
                "port": 443,
                "method": "post",
                "path": "/generic/2010-04-15/create_event.json",
                "params": {},
                "headers": {
                  "Content-type": "application/json"
                },
                "body": "{\"service_key\": \"xxxx\",\"incident_key\": \"xxx\",\"event_type\": \"trigger\",\"description\": \"xxxx for xxx>4 in last 3 minutes\"}"
              }
            },
            "pagerduty-resolve": {
              "condition": {
                "script": {
                  "source": "if (ctx.payload.aggregations.metricAgg.value < params.threshold) { return true; } return false;",
                  "lang": "painless",
                  "params": {
                    "threshold": 4
                  }
                }
              },
              "webhook": {
                "scheme": "https",
                "host": "events.pagerduty.com",
                "port": 443,
                "method": "post",
                "path": "/generic/2010-04-15/create_event.json",
                "params": {},
                "headers": {
                  "Content-type": "application/json"
                },
                "body": "{\"service_key\": \"xxxxx\",\"incident_key\": \"xx\",\"event_type\": \"resolve\",\"description\": \"Issue resolved xxxxx>4 in last 3 minutes\"}"
              }
            }
          }
        }

spinscale · September 30, 2019, 12:08pm

please do not ping people directly here, unless they are involved in the thread. Keep in mind that this is a fully voluntary forum. Thanks!

metric_x > 500 sounds like a query to me. Search all documents where "metric_x > 500" and check if the number of documents is greater than 5? Can you explain what you mean with statistic maximum?

rj23495 · September 30, 2019, 1:25pm

Ok, my apologies. @spinscale.
I mean suppose i have a metric x with if it has max(x) > 500 for more than 5 times in the last 5 min(given my metrics are being written in the log file every 5 seconds) so i need a search query for that.

system · October 28, 2019, 1:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.