Parsing complex bucket aggregations in watcher

Elastic Stack Elasticsearch
1

In summary, I want to generate alerts when percentage disk usage of a device goes above a certain threshold. Using Beats for data collection, the documents individually look like the default System Beat. I wrote the following aggregation to get the percentage usage per device per host.
{
"query": {
"range": {
"@timestamp": {
"gte": "now-15m",
"lte": "now"
}
}
},
"aggs": {
"by_host": {
"terms": {
"field": "beat.hostname"
},
"aggs": {
"by_device": {
"terms": {
"field": "system.filesystem.device_name"
},
"aggs": {
"disk_used_pct": {
"avg": {
"field": "system.filesystem.used.pct"
}
}
}
}
}
}
}
}

How do I generate the alert for per device per host?

2

Hey,

right now, one query also only generates one alert. If you want to generate multiple alerts, it might be easier to forward the whole data to logstash using the watcher webhook and the logstash http input, and then create several events over there - or use the index action to create multiple documents in an index and use that index as source of alerts.

Hope this helps!

--Alex

3

Yeah, makes sense actually. I was looking into templates and thought would have to make multiple types of alerts per host. But the Logstash way does sound good. I will give it a try
Thanks