Hello, I have a question,
I do not know if you can have a nested condition in an alert in elastisearch, ie I have a condition that if met returns true and send an email, but I also want if it is not met and returns false to send me also an email; I mean, if it changes state for example if it is 1 or 2 then it returns true and send email, but if it changes state 3 or 4 then send me an email too, I do not know how to do it in this language, I hope please your answer, thanks, I attach my code of the alert.
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"ups-distrital*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-5m/m",
"lt": "now/m"
}
}
},
{
"term": {
"Name.keyword": "CALLE 40 PPAL"
}
}
]
}
},
"aggs": {
"terms1": {
"terms": {
"field": "upsState.keyword"
}
},
"terms2": {
"terms": {
"field": "IP.keyword"
}
},
"metricAgg": {
"max": {
"field": "State"
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "if (ctx.payload.aggregations.metricAgg.value <= params.threshold) { return true; } if( ctx.payload.aggregations.metricAgg.value != params.threshold) { return false;}",
"lang": "painless",
"params": {
"threshold": 2
}
}
},
"actions": {
"email_1": {
"email": {
"profile": "standard",
"attach_data": {
"format": "yaml"
},
"to": [
"juan.jaramillo@megadvantage.com"
],
"bcc": [
"juancho.jaramillo16@gmail.com"
],
"subject": "{{ctx.metadata.name}} ",
"body": {
"text": """
⚠ Alerta! 🏮 El estado de la UPS CALLE 40 PPAL con la IP {{ctx.payload.terms2.buckets.0.key}} esta {{ctx.payload.terms1.buckets.0.key}}
•Para mas informacion ingrese al siguiente enlace:
https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/distrital/app/kibana#/dashboard/c3aa6120-fba9-11eb-ab41-13c85c32210d
"""
}
}
}
},
"transform": {
"script": {
"source": """
return [
'local_execution_time' : ctx.trigger.triggered_time.withZoneSameInstant(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')),
'terms1' : ctx.payload.aggregations.terms1,
'terms2' : ctx.payload.aggregations.terms2
]
""",
"lang": "painless"
}
}
}
P.S: I need it to return false, because I have the alert to be set to acked when the condition is executed as true so as not to receive many emails; because I need it to be set to OK when it returns false so that it restarts and reevaluates, but there is the dilemma, if when it returns false it can send an email, that is to say that it does an action? or I would have to create another alert for the other states?
thanks
