Multiple Conditions in Elastic Watcher

Elastic Stack Elasticsearch
1

Hi,

I am using a watcher to alert via email if "tracking.softQuota.percentageUsed" > 50(%) - this record (hit) also comes with a field meta.application which identifies a certain client or customer.
This watcher runs more than once an hour and as you can imagine, if the value returned above is greater than 50, it will fire and email me.
I only want it to email me once a day using throttle BUT ...
the next hit in the index for the same same search might be from a different client and if that happens, I want the throttle email setting to be disregarded and one email sent as the meta.application is unique in this instance. So, every time (max 1 time a day) a hit is receieved with a > 50% "tracking.softQuota.percentageUsed" and meta.application being unique, I want to be alerted.

If the result is the same as the last hit (by meta.application name), then I dont want to be alerted again for the day. I hope this makes sense as I find it challenging to even explain this. I have reached out to Support and they have also raised a feature ticket internally.

I've tried things like:

             "must_not": [
                {
                  "match_phrase": {
                    "meta.application": {
                      "query": "ctx.payload.hits.hits.1._source.meta.application"
                    }
                  }
                }
              ]

AND

  "condition": {
    "script": {
      "source": "return ctx.payload.hits.total > params.app_hits && ctx.payload.hits.hits.0._source.meta.application != params.app_previous",
      "lang": "painless",
      "params": {
        "app_hits": 0,
        "app_previous": "{{ ctx.payload.hits.hits.1._source.meta.application }}"
      }
    }
  },

Nothing seemed to work, please share your ideas, thanks.

2

if i understand correctly, you want to be alerted only once a day for a unique client when a certain condition occurs? if so, what i previously tried was storing all historical occurrences in an index, then use chained input in watcher

  1. input 1 queries the latest document
  2. input 2 queries historical occurrences in the past

watcher condition will be, if quota > 50% and the client has not been seen before (based on input 2), otherwise do nothing. so even if quota is 50%, watcher action will not be triggered if the client exists in the historical index

watcher action will be to send alert as well as storing the event into historical index

3

@ptamba thanks for your response. Do you have any sample code you can share please? I will also take a look at doing this in the meantime.

4

This blog post, though an old one, provides example of the use case I mentioned above, i.e.

  1. using chained inputs
  2. watcher conditions to check previous occurrence
  3. watcher multiple actions
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.