In last 1 minute, my watch found 3 events met the condition, occurs on OBJECT_A. So this watch marked with priority level is 1.
In next firing, my watch found more 3 events occurs on OBJECT_A, same as last watch. <== In here, my alert priority will be in level 2, and send the actual webhook action.
I'm using webhook, so I can solve this by coding the escalation engine in my webhook service, but I want to know how to do this by Elasticsearch and Watcher, is it possible?
It sounds like you can achieve this by checking to see if 3 events met the condition in {now-1m} && 3 events met the condition between {now-2m} and {now-1m} and if it evaluates to true, fire a webhook action.
In the case my watch found multiple OBJECT met the condition. Assume that are the IP addresses, so I need to iterate every IP address to find if I see it between {now-2m} and {now-1m} to generate exactly result.
What my watch looks like and what is the related documents?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.