Posting my watcher body to a server via webhook

Elastic Stack Elasticsearch
1

Hello,

I have created a watcher to monitor my server memory usage, which is working fine but here I want to post the email result to a 3rd platform or the same server. I searched about it and found that we can do it via webhook. As I am completely new to webhook concept, I request you to please explain me how I will able to post the email result to a platform and where I require to configure the details of the host where I want to post the details.

Below is the watcher I created. Please have a look

2

{
"trigger": {
"schedule": {
"interval": "1m"
}

},

"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-wp-xyz*"

    ], 
    "types": [],
    "body": {
      "size": 0,
      "query": {
        "bool": {
          "filter": {
            "range": {
              "@timestamp": {
                "gte": "{{ctx.trigger.scheduled_time}}||-1d",
                "lte": "{{ctx.trigger.scheduled_time}}",
                "format": "strict_date_optional_time||epoch_millis"
              }
            }
          }
        }
      },
      "aggs": {
        "bucketAgg": {
          "terms": {
            "field": "beat.hostname",
            "size": 50,
            "order": {
              "metricAgg": "desc"
            }
          },
          "aggs": {
            "metricAgg": {
              "avg": {
                "field": "system.memory.used.pct"
              }
            }
          }
        }
      }
    }
  }
}

},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++)
{ if (arr[i]['metricAgg'].value > params.threshold) { return true; } } return false;",
"lang": "painless",
"params": {
"threshold": 0.9
}
}
},
"actions": {
"email_1": {
"email": {
"account": "gmail_account",
"profile": "gmail",
"to": [
"xyz@gmail.com"

    ],
    "subject": "Alert! High Memory Consumption Found On The Server",
    "body": {
      "text": "The following hosts have exceeded the Memory threshold: \n{{#ctx.payload.results}}{{key}}:{{value}}%\n{{/ctx.payload.results}} \n\n at times: {{ctx.trigger.triggered_time}} \n\n"
    }
  }
}

},

"metadata": {
"watcherui": {
"trigger_interval_unit": "m",
"agg_type": "avg",
"time_field": "@timestamp",
"trigger_interval_size": 1,
"term_size": 50,
"time_window_unit": "d",
"threshold_comparator": ">",
"term_field": "beat.hostname",
"index": [
"metricbeat-wp-xyz*"

  ],
  "time_window_size": 1,
  "threshold": 0.9,
  "agg_field": "system.memory.used.pct"
}

},
"transform": {
"script": {
"source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = Math.round(arr[i]['metricAgg'].value*100); if (filteredHit.value > params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
"lang": "painless",
"params": {
"threshold": 0.9
}
}
}
}

3

hey,

you would indeed replace the email action with a webhook action, if you email provider wants you to use HTTP instead of SMTP. The documentation for the webhook action also shows how to use it.

Is there any concrete problem we can help with?

--Alex

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.