Hi , i would like to create an alert using json , which sends the cloud.instance.id with the high CPU in the mail
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-5m",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "cloud.instance.id",
"size": 5,
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"max": {
"field": "aws.ec2.cpu.total.pct"
}
}
}
}
}
},
"indices": [
"metricbeat-*"
]
}
}
},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value > params.threshold) { return true; } } return false;",
"params": {
"threshold": 1000
}
}
},
"transform": {
"script": {
"source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = arr[i]['metricAgg'].value; if (filteredHit.value > params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
"params": {
"threshold": 80
}
}
},
"actions": {
"email_1": {
"email": {
"profile": "standard",
"to": "testtest@gmail.com",
"subject": "Watch [{{ctx.metadata.name}}] has exceeded the threshold",
"body": {
"text": "{{ctx.metadata.field}}"
}
}
}
}
}