Need help with watcher

I need some help with watcher below. It is working but in email that is send to me I receive 10 cases of connection that receive code 503. I’d like instead to get a total number of calls with 503 for each IP. For instance.
IP 10.10.10.10 53 connection with release cause 503
IP 10.10.10.20 53 connection with release cause 503
And so on.

{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"netnumber-titan*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"REL_CAUSE": "503"
}
},
{
"range": {
"@timestamp": {
"gte": "now-15m"
}
}
}
]
}
},
"_source": [
"REL_CAUSE",
"@timestamp",
"INGRESS_IP"
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 10
}
}
},
"actions": {
"email_users": {
"email": {
"profile": "standard",
"to": [
my.email@myhouse.com
],
"subject": "{{ctx.payload.hits.total}} Kibana Watcher Alert: RELEASE CAUSE 503",
"body": {
"html": "--{{ctx.payload.hits.total}} connections in last 15 minutes with release cause 503--\n\n

{{#ctx.payload.hits.hits}}\n

IP {{_source.INGRESS_IP}}{{ctx.payload.hits.hits.0._source_host}} ,time of occuarancy: {{_source.@timestamp}}{{ctx.payload.hits.hits.0._source@timeframe}}\t{{_source.REL_CAUSE}}\n{{/ctx.payload.hits.hits}}"
}
}
}
},
"throttle_period_in_millis": 600000
}

Result that I’m receiving today is
IP 10.10.10.10 ,time of occuarancy: 2021-04-30T08:31:41.128Z 503
IP 10.22.30.1 ,time of occuarancy: 2021-04-30T08:31:39.739Z 503
IP 10.10.10.10 ,time of occuarancy: 2021-04-30T08:31:39.740Z 503
IP 10.10.12.55 ,time of occuarancy: 2021-04-30T08:31:39.740Z 503
IP 10.10.12.100 ,time of occuarancy: 2021-04-30T08:31:41.128Z 503
IP 10.22.30.1,time of occuarancy: 2021-04-30T08:31:45.767Z 503
IP 10.10.10.33 ,time of occuarancy: 2021-04-30T08:31:44.712Z 503
IP 10.33.10.1 ,time of occuarancy: 2021-04-30T08:31:37.607Z 503
IP 10.10.10.33 ,time of occuarancy: 2021-04-30T08:31:37.917Z 503
IP 10.10.10.10 ,time of occuarancy: 2021-04-30T08:31:38.596Z 503
Appreciate if somebody can help me or give me advice.

Expected result should look like
IP 10.22.30.1 ,total number of connection with release code 503 in last 15 minutes is 11
IP 10.10.10.10 , ,total number of connection with release code 503 in last 15 minutes is 23
and so on for all IPs

Many thanks

Please format your code properly, as this forum support markdown. Your snippet is rather hard to read :slight_smile:

The basic idea for you query is that you are not interesting in single documents, but rather in aggregations of your search where you want to group by ip address.

This means you need to rethink your query and use aggregations to group by IP address (probably using a terms aggregation).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.