Queries in Watcher

Hi there!

I'm not yet well versed in Watcher and I was wondering something. If you look at Kibana you can query similar to SQL which grabs the specific data you need from Elasticsearch.

For example: host = 178.62.170.190 status = 404
This should return all 404 statuses of the ip address listed above. Can you add a watch in Watcher with similar properties?

I want to be able to setup a watch which looks for 404 statuses (or whatever) in a specific host. Is such a thing possible in Watcher at this point? Thanks for your time :smile:

Yes, if host and status are properties on your logs then that is possible with watcher. I recommend checking out the getting started on how to do something similar: https://www.elastic.co/guide/en/watcher/current/getting-started.html

Ah so you can then!

I tried looking for an example such as this in the documentation but I couldn't find anything.
I did find something called simple input and wondered if that would be something I could use.

Going by the example under customizing watches:

"input" : {
  "simple" : {
    "color"  : "red",
    "status" : "error",
    "count"  : 3
  }
}

If I were to change it to

"input" : {
  "simple" : {
    "host"  : "178.62.170.190",
    "status" : "404"
  }
}

Would that work in the way I would want it to? If not, can you show me an example of how to do it correctly or point me to the section of the documentation where this is explained? Thanks :smile:

Anyone?

I don't think the simple input will work for you. If you want to see how to create a watch based on a Kibana visualization, I suggest watching my webinar on the topic - I create a watch from a dashboard live and walk through the process :slight_smile:

https://www.elastic.co/webinars/watcher-practical-alerting-for-elasticsearch

2 Likes

Sounds good! I will look into it!
Do you perhaps have webinar regarding the Slack actions?

@skearns I looked at your webinar and it was very interesting indeed! Though I'm still a bit lost on how to query something.

PUT _watcher/watch/watcher_execution_duration_SLA
{
	"trigger": {
		"schedule": {
			"interval": "10s"
		}
	},
	"input": {
		"search": {
			"request": {
				"indices": [ ".watch_history-*" ],
				"body": {
					"query": {
						"filtered": {
							"query": {
								"match_all": {}
							},
							"filter": {
								"bool": {
									"must": [
									{
										"range": {
											"result.exectution_time": {
												"gte": "now-1m"
											}
										}
									}]
								}
							}
						}
					},
					"size": 0,
					"aggs": {
						"watcher_SLA": {
							"percentiles": {
								"field": "result.exectution_time",
								"keyed": false,
								"percents": [
								 99
								]
							}
						}
					}
				}
			}
		},
		"condition": {
			"compare": {
				"FIELD": {
					"gt": 0
				}
			}
		},
		"actions": {
			"log" : {
				"logging" : {
					"text" : "The Watcher SLA was exceeded at {{ctx.exectution_time}}"
				}
			}
		}
	}
}

You are filtering for the execution time of watcher. What I would like is to look into the logstash-* indice and filter for records with a specific URL or IP address and a condition to watch for which is also part off the record. This would be for example host and http.status. I'd imagine that I'd have to change the indices to

[ "logstash-*" ]

but what about the query and agg? Sorry if this seems too low level but I'm having somewhat of a hard time understanding the used syntax.

It sounds like you're making progress. In the video, I demonstrated how to start with a Kibana dashboard, then pick a visualization that has the data I want to query against, and look at the underlying query that powers that chart. Starting with that query, I trimmed it down to just the part of the query that was necessary for my Watch.

I think you could take a similar approach here?