New to Watcher and trying to find examples

Hi,

I'm brand new to Watcher and trying to understand some of the nuances. I am looking at examples I have found and don't understand some of the conditions. Could someone take a look at this script and explain what it is doing? I don't fully understand the the condition compare bolded part (ctx.payload.aggregations.load_time_outlier**.values.6.value**). How is that configured or where does it come from? I'm not finding anything in the documentation to help explain this.

"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
""
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"_index": "mwp
"
}
},
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lt": "now"
}
}
},
{
"term": {
"json.data.team": "sbn"
}
},
{
"term": {
"json.tags": "http-api-receive"
}
},
{
"terms": {
"json.data.responseStatusCode": [
200
]
}
}
]
}
},
"aggs": {
"load_time_outlier": {
"percentiles": {
"field": "json.data.timeTakenInMSec",
"keyed": false
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.load_time_outlier.values.6.value": {
"gte": 1000
}
}
}

Thanks,

Rhonda Bailey

Hi Rhonda,

When the input query is run as part of this watch, a query aggregation is run (in this case, a percentiles aggregation). The output of that will be an array that will look something like:

          "aggregations": {
            "load_time_outlier": {
              "values": [
                {
                  "value": 8.924114057624271,
                  "key": 1
                },
                {
                  "value": 10.54291390330281,
                  "key": 5
                },
                {
                  "value": 20.738003111191084,
                  "key": 25
                },
                {
                  "value": 187.80716667566568,
                  "key": 50
                },
                {
                  "value": 406.51588899356284,
                  "key": 75
                },
                {
                  "value": 1870.7552690639914,
                  "key": 95
                },
                {
                  "value": 9998.294815264673,
                  "key": 99
                }
              ]
            }
          }

therefore, ctx.payload.aggregations.load_time_outlier.values.6.value will be the value element of the 7th element of this array (since the array is 0-based). This is thus, the 99th percentile value of the json.data.timeTakenInMSec field .

In the above example, this 99th percentile would resolve out to:

"ctx.payload.aggregations.load_time_outlier.values.6.value": 9998.294815264673

And in your compare logic, would be just slightly under the threshold of 1000

Thank you. That makes much more sense now.

Rhonda

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.