Set up error transaction percentage alert email

Elastic Stack Elasticsearch
1

Hi all,
I have data with the following structure:
1

I need an alert email every 30 seconds to count the number of each Name have ErrorCode in list [001, 002, 003] and the percentage of each Name to the total (all of ErrorCode) in the following format:

- Name: NAME1 --- error 10/116 (8.6%)
- Name: NAME2 --- error 4/8 (50%)
- Name: NAME3 --- error 17/30 (56.6%)
- Name: NAME4 --- error 26/100 (26%)

I have grouped Name and ErrorCode:

"query": {
            "bool": {
              "must": [
                {
                  "terms": {
                    "Name": [
                      "000",
                      "001",
                      "002",
                      "003",
                      "004",
                      "005",
                      "006",
                      "007",
                      "008",
                      "009",
	              "010"
                    ]
                  }
                }
              ],
              "filter": {
                "range": {
                  "@timestamp": {
                    "from": "{{ctx.trigger.scheduled_time}}||-5m",
                    "to": "{{ctx.trigger.triggered_time}}"
                  }
                }
              }
            }
          },
          "aggs": {
            "group_by_name": {
              "terms": {
                "field": "Name.keyword"
              },
              "aggs": {
                "group_by_errorcode": {
                  "filter": {
                    "terms": {
                      "Code": [
                        "001",
                        "002",
                        "003"
                      ]
                    }
                  }
                }
              }
            }
          }

Here is the returned result:

"aggregations": {
          "group_by_Name": {
            "doc_count_error_upper_bound": 46,
            "sum_other_doc_count": 2659,
            "buckets": [
              {
                "doc_count": 5331,
                "key": "Name1",
                "group_by_Error": {
                  "doc_count": 5331
                }
              },
              {
                "doc_count": 2286,
                "key": "Name2",
                "group_by_Error": {
                  "doc_count": 1036
                }
              },
              {
                "doc_count": 1710,
                "key": "Name3",
                "group_by_Error": {
                  "doc_count": 1
                }
              }

I have config watcher and can receive mail:

"body": {
          "html": "{{#ctx.payload.aggregations.group_by_name.buckets}}<br>- Name <b>{{key}}</b> error {{#group_by_error }}{{doc_count}}/{{/group_by_error}}{{doc_count}}</br>{{/ctx.payload.aggregations.group_by_name.buckets}}"
        }

The structure of the email I received:

- Name: NAME1 --- error 10/116
- Name: NAME2 --- error 4/8
- Name: NAME3 --- error 17/30
- Name: NAME4 --- error 26/100

How can I calculate the percentage based on the calculated data?

2

This can be done using a script transform

3

Hi @spinscale, I did it with bucket_script:

"success_percent": {
                  "bucket_script": {
                    "buckets_path": {
                      "error": "group_by_count_err",
                      "total": "group_by_count_all"
                    },
                    "script": "params.error/ params.total* 100",
                    "format": "0.00"
                  }
}

But I get all NAME values, how can I set the warning threshold for each NAME. For example: NAME 1: 80%, NAME 2: 20%... If the percentage is greater than the threshold, the NAME value will appear in the alert email.

4

Again, this could be done in a script transform, scripting gives you the freedom to only include a part of your aggregation results that break a certain threshold :slight_smile:

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.