Multiple Conditions in Elastic Watcher

ishyherts · December 22, 2021, 4:09pm

Hi,

I am using a watcher to alert via email if "tracking.softQuota.percentageUsed" > 50(%) - this record (hit) also comes with a field meta.application which identifies a certain client or customer.
This watcher runs more than once an hour and as you can imagine, if the value returned above is greater than 50, it will fire and email me.
I only want it to email me once a day using throttle BUT ...
the next hit in the index for the same same search might be from a different client and if that happens, I want the throttle email setting to be disregarded and one email sent as the meta.application is unique in this instance. So, every time (max 1 time a day) a hit is receieved with a > 50% "tracking.softQuota.percentageUsed" and meta.application being unique, I want to be alerted.

If the result is the same as the last hit (by meta.application name), then I dont want to be alerted again for the day. I hope this makes sense as I find it challenging to even explain this. I have reached out to Support and they have also raised a feature ticket internally.

I've tried things like:

             "must_not": [
                {
                  "match_phrase": {
                    "meta.application": {
                      "query": "ctx.payload.hits.hits.1._source.meta.application"
                    }
                  }
                }
              ]

AND

  "condition": {
    "script": {
      "source": "return ctx.payload.hits.total > params.app_hits && ctx.payload.hits.hits.0._source.meta.application != params.app_previous",
      "lang": "painless",
      "params": {
        "app_hits": 0,
        "app_previous": "{{ ctx.payload.hits.hits.1._source.meta.application }}"
      }
    }
  },

Nothing seemed to work, please share your ideas, thanks.

ptamba · December 22, 2021, 6:05pm

if i understand correctly, you want to be alerted only once a day for a unique client when a certain condition occurs? if so, what i previously tried was storing all historical occurrences in an index, then use chained input in watcher

input 1 queries the latest document
input 2 queries historical occurrences in the past

watcher condition will be, if quota > 50% and the client has not been seen before (based on input 2), otherwise do nothing. so even if quota is 50%, watcher action will not be triggered if the client exists in the historical index

watcher action will be to send alert as well as storing the event into historical index

ishyherts · December 23, 2021, 8:58am

@ptamba thanks for your response. Do you have any sample code you can share please? I will also take a look at doing this in the meantime.

ptamba · December 23, 2021, 4:11pm

This blog post, though an old one, provides example of the use case I mentioned above, i.e.

using chained inputs
watcher conditions to check previous occurrence
watcher multiple actions

system · January 20, 2022, 4:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher Kibana : How can i use double condition in a "compare" Elasticsearch elastic-stack-alerting	7	6101	April 4, 2019
Can set the Watcher with Time period in 2 Codition Elasticsearch elastic-stack-alerting	5	648	February 12, 2020
Multiple Condition Watcher Elasticsearch elastic-stack-alerting	5	4002	January 4, 2017
How do I use multiple conditions in condition script watcher Elasticsearch elastic-stack-alerting , painless	1	525	May 7, 2021
Elasticsearch watcher multiple indices Elasticsearch elastic-stack-alerting	3	721	July 2, 2019

Multiple Conditions in Elastic Watcher

Related Topics