New to Watcher and trying to find examples

alerting

(Rhonda Bailey) #1

Hi,

I'm brand new to Watcher and trying to understand some of the nuances. I am looking at examples I have found and don't understand some of the conditions. Could someone take a look at this script and explain what it is doing? I don't fully understand the the condition compare bolded part (ctx.payload.aggregations.load_time_outlier**.values.6.value**). How is that configured or where does it come from? I'm not finding anything in the documentation to help explain this.

"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
""
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"_index": "mwp
"
}
},
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lt": "now"
}
}
},
{
"term": {
"json.data.team": "sbn"
}
},
{
"term": {
"json.tags": "http-api-receive"
}
},
{
"terms": {
"json.data.responseStatusCode": [
200
]
}
}
]
}
},
"aggs": {
"load_time_outlier": {
"percentiles": {
"field": "json.data.timeTakenInMSec",
"keyed": false
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.load_time_outlier.values.6.value": {
"gte": 1000
}
}
}

Thanks,

Rhonda Bailey


(rich collier) #2

Hi Rhonda,

When the input query is run as part of this watch, a query aggregation is run (in this case, a percentiles aggregation). The output of that will be an array that will look something like:

          "aggregations": {
            "load_time_outlier": {
              "values": [
                {
                  "value": 8.924114057624271,
                  "key": 1
                },
                {
                  "value": 10.54291390330281,
                  "key": 5
                },
                {
                  "value": 20.738003111191084,
                  "key": 25
                },
                {
                  "value": 187.80716667566568,
                  "key": 50
                },
                {
                  "value": 406.51588899356284,
                  "key": 75
                },
                {
                  "value": 1870.7552690639914,
                  "key": 95
                },
                {
                  "value": 9998.294815264673,
                  "key": 99
                }
              ]
            }
          }

therefore, ctx.payload.aggregations.load_time_outlier.values.6.value will be the value element of the 7th element of this array (since the array is 0-based). This is thus, the 99th percentile value of the json.data.timeTakenInMSec field .

In the above example, this 99th percentile would resolve out to:

"ctx.payload.aggregations.load_time_outlier.values.6.value": 9998.294815264673

And in your compare logic, would be just slightly under the threshold of 1000


(Rhonda Bailey) #3

Thank you. That makes much more sense now.

Rhonda


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.