Hello!
I'm trying to create watcher which will put data from aggregation into email's body. However, I stuck with the transformation. I even tried to hardcode say, 1st element of aggregation, like:
{{ctx.payload.aggregations.ip_buckets.buckets.1.doc_count}}
without success. Please advise.
> {
> "trigger": {
> "schedule": {
> "interval": "1m"
> }
> },
> "input": {
> "search": {
> "request": {
> "indices": [
> "logstash-*"
> ],
> "body": {
> "size": 0,
> "query": {
> "bool": {
> "must": [
> {
> "range": {
> "date": {
> "gte": "now-1h",
> "lt": "now"
> }
> }
> },
> {
> "range": {
> "sc_status": {
> "gte": "500",
> "lte": "599"
> }
> }
> }
> ],
> "must_not": [
> {
> "match": {
> "cs_method": "GET"
> }
> },
> {
> "match": {
> "cs_method": "HEAD"
> }
> }
> ]
> }
> },
> "aggs": {
> "ip_buckets": {
> "terms": {
> "field": "ip",
> "min_doc_count": 30
> }
> }
> }
> }
> }
> }
> },
> "condition": {
> "array_compare": {
> "ctx.payload.aggregations.ip_buckets.buckets": {
> "path": "doc_count",
> "gt": {
> "value": 30,
> "quantifier": "some"
> }
> }
> }
> },
> "actions": {
> "send_email": {
> "throttle_period": "1m",
> "transform": {},
> "email": {
> "to": "john.doe@company.com",
> "subject": "ElasticSearch Cluster Alert -- Too many 500's have been discovered during last 60 min",
> "body": "Total # of errors per period: {{ctx.payload.hits.total}}"
> }
> }
> }
> }