I need some help with watcher below. It is working but in email that is send to me I receive 10 cases of connection that receive code 503. I’d like instead to get a total number of calls with 503 for each IP. For instance.
IP 10.10.10.10 53 connection with release cause 503
IP 10.10.10.20 53 connection with release cause 503
And so on.
{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"netnumber-titan*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"REL_CAUSE": "503"
}
},
{
"range": {
"@timestamp": {
"gte": "now-15m"
}
}
}
]
}
},
"_source": [
"REL_CAUSE",
"@timestamp",
"INGRESS_IP"
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 10
}
}
},
"actions": {
"email_users": {
"email": {
"profile": "standard",
"to": [
my.email@myhouse.com
],
"subject": "{{ctx.payload.hits.total}} Kibana Watcher Alert: RELEASE CAUSE 503",
"body": {
"html": "--{{ctx.payload.hits.total}} connections in last 15 minutes with release cause 503--\n\n
{{#ctx.payload.hits.hits}}\n
IP {{_source.INGRESS_IP}}{{ctx.payload.hits.hits.0._source_host}} ,time of occuarancy: {{_source.@timestamp}}{{ctx.payload.hits.hits.0._source@timeframe}}\t{{_source.REL_CAUSE}}\n{{/ctx.payload.hits.hits}}"
}
}
}
},
"throttle_period_in_millis": 600000
}
Result that I’m receiving today is
IP 10.10.10.10 ,time of occuarancy: 2021-04-30T08:31:41.128Z 503
IP 10.22.30.1 ,time of occuarancy: 2021-04-30T08:31:39.739Z 503
IP 10.10.10.10 ,time of occuarancy: 2021-04-30T08:31:39.740Z 503
IP 10.10.12.55 ,time of occuarancy: 2021-04-30T08:31:39.740Z 503
IP 10.10.12.100 ,time of occuarancy: 2021-04-30T08:31:41.128Z 503
IP 10.22.30.1,time of occuarancy: 2021-04-30T08:31:45.767Z 503
IP 10.10.10.33 ,time of occuarancy: 2021-04-30T08:31:44.712Z 503
IP 10.33.10.1 ,time of occuarancy: 2021-04-30T08:31:37.607Z 503
IP 10.10.10.33 ,time of occuarancy: 2021-04-30T08:31:37.917Z 503
IP 10.10.10.10 ,time of occuarancy: 2021-04-30T08:31:38.596Z 503
Appreciate if somebody can help me or give me advice.
Expected result should look like
IP 10.22.30.1 ,total number of connection with release code 503 in last 15 minutes is 11
IP 10.10.10.10 , ,total number of connection with release code 503 in last 15 minutes is 23
and so on for all IPs
Many thanks