Hello team,
Need to add time range filter condition in below watcher. i am unable to identify where i need to exactly put below condions:
I think my script is checking whole data if i not mentioned any range filter. I want to check data from last 1 hour only on below watcher script.
Conditions:
{
"range": {
"@timestamp": {
"gte": "now-1h",
"lte": "now",
"format": "strict_date_optional_time"
}
}
}
Watcher Script:
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"index-"
],
"rest_total_hits_as_int": true,
"body": {
"size": 100,
"_source": [
"Error",
"@appTimestamp"
],
"query": {
"bool": {
"must": [],
"filter": [
{
// all my filter conditions here
],
"should": [],
"must_not": []
}
},
"aggs": {
"Error": {
"terms": {
"field": "Error.keyword"
},
"aggs": {
"range": {
"date_range": {
"field": "@timestamp",
"format": "H",
"ranges": [
{
"key": "Error_Count_10mins_ago",
"from": "now-12m",
"to": "now-7m"
},
{
"key": "Error_Count_5mins_ago",
"from": "now-6m",
"to": "now-1m"
}
],
"keyed": true
}
},
"deviation": {
"bucket_script": {
"buckets_path": {
"FiveMinAgo": "range['Error_Count_5mins_ago']>_count",
"TenMinAgo": "range['Error_Count_10mins_ago']>_count"
},
"script": "if (params.TenMinAgo == 0) {0} else {(params.FiveMinAgo - params.TenMinAgo)*100/params.TenMinAgo}"
}
},
"filter_aggs": {
"bucket_selector": {
"buckets_path": {
"FiveMinAgo": "range['Error_Count_5mins_ago']>_count",
"TenMinAgo": "range['Error_Count_10mins_ago']>_count",
"deviation": "deviation.value"
},
"script": "(params.TenMinAgo >= 80 && params.FiveMinAgo >= 130 && params.deviation >= 40)"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": """
ctx.payload.aggregations.Error.buckets.size() > 0;
""",
"lang": "painless"
}
},
"actions": {
// all actions
}