Need help with watcher

Tatamata · April 30, 2021, 9:23am

I need some help with watcher below. It is working but in email that is send to me I receive 10 cases of connection that receive code 503. I’d like instead to get a total number of calls with 503 for each IP. For instance.
IP 10.10.10.10 53 connection with release cause 503
IP 10.10.10.20 53 connection with release cause 503
And so on.

{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"netnumber-titan*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"REL_CAUSE": "503"
}
},
{
"range": {
"@timestamp": {
"gte": "now-15m"
}
}
}
]
}
},
"_source": [
"REL_CAUSE",
"@timestamp",
"INGRESS_IP"
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 10
}
}
},
"actions": {
"email_users": {
"email": {
"profile": "standard",
"to": [
my.email@myhouse.com
],
"subject": "{{ctx.payload.hits.total}} Kibana Watcher Alert: RELEASE CAUSE 503",
"body": {
"html": "--{{ctx.payload.hits.total}} connections in last 15 minutes with release cause 503--\n\n

{{#ctx.payload.hits.hits}}\n

IP {{_source.INGRESS_IP}}{{ctx.payload.hits.hits.0._source_host}} ,time of occuarancy: {{_source.@timestamp}}{{ctx.payload.hits.hits.0._source@timeframe}}\t{{_source.REL_CAUSE}}\n{{/ctx.payload.hits.hits}}"
}
}
}
},
"throttle_period_in_millis": 600000
}

Result that I’m receiving today is
IP 10.10.10.10 ,time of occuarancy: 2021-04-30T08:31:41.128Z 503
IP 10.22.30.1 ,time of occuarancy: 2021-04-30T08:31:39.739Z 503
IP 10.10.10.10 ,time of occuarancy: 2021-04-30T08:31:39.740Z 503
IP 10.10.12.55 ,time of occuarancy: 2021-04-30T08:31:39.740Z 503
IP 10.10.12.100 ,time of occuarancy: 2021-04-30T08:31:41.128Z 503
IP 10.22.30.1,time of occuarancy: 2021-04-30T08:31:45.767Z 503
IP 10.10.10.33 ,time of occuarancy: 2021-04-30T08:31:44.712Z 503
IP 10.33.10.1 ,time of occuarancy: 2021-04-30T08:31:37.607Z 503
IP 10.10.10.33 ,time of occuarancy: 2021-04-30T08:31:37.917Z 503
IP 10.10.10.10 ,time of occuarancy: 2021-04-30T08:31:38.596Z 503
Appreciate if somebody can help me or give me advice.

Expected result should look like
IP 10.22.30.1 ,total number of connection with release code 503 in last 15 minutes is 11
IP 10.10.10.10 , ,total number of connection with release code 503 in last 15 minutes is 23
and so on for all IPs

Many thanks

spinscale · May 10, 2021, 9:31am

Please format your code properly, as this forum support markdown. Your snippet is rather hard to read

The basic idea for you query is that you are not interesting in single documents, but rather in aggregations of your search where you want to group by ip address.

This means you need to rethink your query and use aggregations to group by IP address (probably using a terms aggregation).

system · June 7, 2021, 9:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher not firing Kibana elastic-stack-alerting	2	407	July 27, 2021
How to send logs by watchers action Kibana elastic-stack-alerting	2	384	June 18, 2021
Watcher Assistance (ii) Elasticsearch elastic-stack-alerting	3	443	April 2, 2021
Watcher that counts the documents that arrive to an index in kibana Elasticsearch elastic-stack-alerting	46	3044	May 22, 2021
Watcher Timestamp showing in EPOCH Elasticsearch elastic-stack-alerting	4	901	October 1, 2021

Need help with watcher

Related Topics