Need help with creating a Watcher and trigger Email

Elastic Stack Kibana
1

I would like to create a Watcher Alert using Watcher JSON and trigger email.
Could you help me create a Watcher JSON that is equivalent to the below formula:

unique_count(id, kql='abcresult.keyword : "SUCCESS" ') / (unique_count(id, kql='abcresult.keyword : "SUCCESS" ') + unique_count(id, kql='abcresult.keyword: "FAILURE" '))
2

Hi - welcome to the forum!

Questions for you:

  1. Have you created Watches before and do you know the basics?
  2. Have you queried Elasticsearch using DSL syntax (plus used aggregations) before?
  3. Have you heard of a bucket_script aggregation?

The use of a bucket_script aggregation is likely the easiest way to go here to calculate the ratio right in the query.

3

Hi, I am new to ELK.
I am going through the links you have provided.
I have a doubt here.
Will I be able to create a Watcher using bucket script aggregation?

4

Yes, a Watch can contain any valid Elasticsearch DSL query/aggregation. Here's an example of a watch that looks at weblogs and computes the ratio of status codes in web logs. Not your exact use case, but pretty close!

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1d"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": [
            "kibana_sample_data_logs"
            ],
            "body": {
              "size": 0,
              "query": {
                "bool": {
                  "filter": [
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-1d"
                        }
                      }
                    }
                    ]
                }
              },
              "aggregations": {
                "buckets": {
                  "date_histogram": {
                    "field": "@timestamp",
                    "calendar_interval": "1d"
                  },
                  "aggregations": {
                    "200s": {
                      "filter": {
                        "term": {
                          "response.keyword": "200"
                        }
                      }
                    },
                    "404s": {
                      "filter": {
                        "term": {
                          "response.keyword": "404"
                        }
                      }
                    },
                    "ratio": {
                      "bucket_script": {
                        "buckets_path": {
                          "two_hundreds": "200s._count",
                          "four_oh_fours": "404s._count"
                        },
                        "script": "params.four_oh_fours / (params.two_hundreds + params.four_oh_fours)"
                      }
                    }
                  }
                }
              }
            }
        }
      }
    },
    "condition": {
      "script": """
      // check to see if the ratio is higher than 5%
      return ctx.payload.aggregations.buckets.buckets.0.ratio.value > 0.05; 
      """
    },
    "actions": {
      "log": {
        "logging": {
          "text": """
          Alert - the ratio is higher than 5%. See raw data:
          
          {{ctx.payload}}
          """
        }
      }
    }
  }
}

The output just logs (doesn't email) but there are plenty of examples on how to email from a Watch

5

Thanks!