Specific Alarm Values : bulding an array of JSON elements in the condition scripts

Anabella_Cristaldi · October 26, 2017, 10:03am

Hi all,

I have a watch with a script condition that loops over the results and if exists one value greater than my threshold the condition return value is set to true. So far, so good.
But...because in my action I want to specify all the values meeting the condition I tried to collect those value and set a ctx.vars variable with a array of json documents meeting the alert condition.

The code looks like:

"condition": {
"script": {
"source": "def docs=[];def status= false;def calls=ctx.payload.aggregations.origin;for (int i = 0; i < calls.size(); ++i) {if (calls.buckets[i].grand_total.value > 34){ docs.add(['from' : calls.buckets[i].key , 'gt' : calls.buckets[i].grand_total.value]);status=true} } ctx.vars.alerts=docs; return status",
"lang": "painless"
}}

I'm doing something wrong building the array because only returns one element.
If instead of the docs.add I hardcode the value of docs with multiple elements, the value is correctly returned.

What is wrong ??
Thank you very much
Regards
Anna

spinscale · October 26, 2017, 11:59am

can you post this output of an execute watch API call here as well, please? Otherwise there is no clue how the input looks like.

--Alex

Anabella_Cristaldi · October 26, 2017, 12:21pm

Hi Alex,
Here is the watch and and extract of the simulation
indent preformatted text by 4 spaces
( ..... )
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"new_sbc"
],
"types": [],
"body": {
"query": {
"bool": {
"filter": [
{
"terms": {
"oper.keyword": [
"START",
"STOP"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-10-04T20:46:00.000Z",
"lte": "2017-10-04T20:48:10.000Z"
}
}
}
]
}
},
"size": 0,
"aggs": {
"origin": {
"terms": {
"field": "from.keyword",
"size": 10000,
"min_doc_count": 2
},
"aggs": {
"call_ref": {
"terms": {
"field": "call_ref.keyword",
"size": 10000,
"min_doc_count": 2
},
"aggs": {
"total_duration": {
"sum": {
"field": "duration"
}
}
}
},
"grand_total": {
"sum_bucket": {
"buckets_path": "call_ref>total_duration"
}
}
}
}
}
}
}
}
},
"condition": {
"type": "script",
"status": "success",
"met": true
},
"actions": [
{
"id": "my-logging-action",
"type": "logging",
"status": "success",
"logging": {
"logged_text": "There are From: 16196464248: Total 745.0"
}
}
]
},
"messages": []
}
}

I try to put as a JSON array the values matching my condition but only one is displayed.
If instead of using docs.add I set a fixed value like docs=[['from': '123', 'gt':1],['from':'456', 'gt':15]] and it works ok.

"logged_text": "There are From: 123: Total 1 From: 456: Total 15"

Probably the problem is that I'm not using correctly the .add method.

Thank you very much
Regards
Anna

spinscale · October 26, 2017, 12:35pm

the execute watch API output (preferrably in a gist, as this JSON here is really hard to read) also contains the search query output. It is crucial for debugging to get the full picture, so getting that output would be great.

--Alex

Anabella_Cristaldi · October 26, 2017, 12:59pm

Hi Alex,
Here the output. I have suppressed some result due to the length restriction

{
  "_id": "W20171024_1faf2d76-cf08-4563-9c29-99387238a7c6-2017-10-26T12:37:31.805Z",
  "watch_record": {
    "watch_id": "W20171024",
    "state": "executed",
    "status": {
      "state": {
        "active": true,
        "timestamp": "2017-10-26T12:37:27.849Z"
      },
      "last_checked": "2017-10-26T12:37:31.805Z",
      "last_met_condition": "2017-10-26T12:37:31.805Z",
      "actions": {
        "my-logging-action": {
          "ack": {
            "timestamp": "2017-10-26T12:37:31.805Z",
            "state": "ackable"
          },
          "last_execution": {
            "timestamp": "2017-10-26T12:37:31.805Z",
            "successful": true
          },
          "last_successful_execution": {
            "timestamp": "2017-10-26T12:37:31.805Z",
            "successful": true
          }
        }
      }
    },
    "trigger_event": {
      "type": "manual",
      "triggered_time": "2017-10-26T12:37:31.805Z",
      "manual": {
        "schedule": {
          "scheduled_time": "2017-10-26T12:37:31.805Z"
        }
      }
    },
    "input": {
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "new_sbc"
          ],
          "types": [],
          "body": {
            "query": {
              "bool": {
                "filter": [
                  {
                    "terms": {
                      "oper.keyword": [
                        "START",
                        "STOP"
                      ]
                    }
                  },
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "2017-10-04T20:46:00.000Z",
                        "lte": "2017-10-04T20:46:30.000Z"
                      }
                    }
                  }
                ]
              }
            },
            "size": 0,
            "aggs": {
              "origin": {
                "terms": {
                  "field": "from.keyword",
                  "size": 10000,
                  "min_doc_count": 2
                },
                "aggs": {
                  "call_ref": {
                    "terms": {
                      "field": "call_ref.keyword",
                      "size": 10000,
                      "min_doc_count": 2
                    },
                    "aggs": {
                      "total_duration": {
                        "sum": {
                          "field": "duration"
                        }
                      }
                    }
                  },
                  "grand_total": {
                    "sum_bucket": {
                      "buckets_path": "call_ref>total_duration"
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "script": {
        "source": "def docs=[];def status= false;def calls=ctx.payload.aggregations.origin;for (int i = 0; i < calls.size(); ++i) {if (calls.buckets[i].grand_total.value > 34){ docs.add(['from' : calls.buckets[i].key , 'gt' : calls.buckets[i].grand_total.value]);status=true} } ctx.vars.alerts=docs; return status",
        "lang": "painless"
      }
    },
    "metadata": {
      "name": "Watcher_test_1"
    },
    "result": {
      "execution_time": "2017-10-26T12:37:31.805Z",
      "execution_duration": 41,
      "input": {
        "type": "search",
        "status": "success",
        "payload": {
          "_shards": {
            "total": 5,
            "failed": 0,
            "successful": 5,
            "skipped": 0
          },
          "hits": {
            "hits": [],
            "total": 73,
            "max_score": 0
          },
          "took": 39,
          "timed_out": false,
          "aggregations": {
            "origin": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": [
                {
                  "doc_count": 4,
                  "call_ref": {
                    "doc_count_error_upper_bound": 0,
                    "sum_other_doc_count": 0,
                    "buckets": [
                      {
                        "doc_count": 2,
                        "total_duration": {
                          "value": 3
                        },
                        "key": "08cQ129462004118bcGhEfEpJll"
                      },
                      {
                        "doc_count": 2,
                        "total_duration": {
                          "value": 4
                        },
                        "key": "M7bV6124620041K7bcGhEfEjGmg"
                      }
                    ]
                  },
                  "grand_total": {
                    "value": 7
                  },
                  "key": "376343543"
                },
                  ......

Anabella_Cristaldi · October 26, 2017, 12:59pm

         }
              ]
            }
          }
        },
        "search": {
          "request": {
            "search_type": "query_then_fetch",
            "indices": [
              "new_sbc"
            ],
            "types": [],
            "body": {
              "query": {
                "bool": {
                  "filter": [
                    {
                      "terms": {
                        "oper.keyword": [
                          "START",
                          "STOP"
                        ]
                      }
                    },
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "2017-10-04T20:46:00.000Z",
                          "lte": "2017-10-04T20:46:30.000Z"
                        }
                      }
                    }
                  ]
                }
              },
              "size": 0,
              "aggs": {
                "origin": {
                  "terms": {
                    "field": "from.keyword",
                    "size": 10000,
                    "min_doc_count": 2
                  },
                  "aggs": {
                    "call_ref": {
                      "terms": {
                        "field": "call_ref.keyword",
                        "size": 10000,
                        "min_doc_count": 2
                      },
                      "aggs": {
                        "total_duration": {
                          "sum": {
                            "field": "duration"
                          }
                        }
                      }
                    },
                    "grand_total": {
                      "sum_bucket": {
                        "buckets_path": "call_ref>total_duration"
                      }
                    }
                  }
                }
              }
            }
          }
        }
      },
      "condition": {
        "type": "script",
        "status": "success",
        "met": true
      },
      "actions": [
        {
          "id": "my-logging-action",
          "type": "logging",
          "status": "success",
          "logging": {
            "logged_text": "There are  From: 34606117751: Total 268.0"
          }
        }
      ]
    },
    "messages": []
  }
}

Anabella_Cristaldi · October 26, 2017, 1:25pm

HI Alex,
I realize that the problem it is not in the construction of the JSON array, it is here

def calls=ctx.payload.aggregations.origin;for (int i = 0; i < **calls.size()**; ++i)

I expect that def calls.size() evaluate to the number of buckets I have to loop, but it is not

I'll try to find out how..

Regards and Thank you

Anabella_Cristaldi · October 26, 2017, 1:38pm

Here was the error
Should be
Preformatted textcalls.buckets.size()

instead of
Preformatted text calls.size()

Thank you and Regards
Anna

system · November 23, 2017, 1:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple Condition using ctx.execution_time Elasticsearch elastic-stack-alerting	2	809	August 3, 2018
Script condition and ctx.vars Elasticsearch elastic-stack-alerting	6	3381	July 6, 2017
Multiple script/condition for a watcher Elasticsearch	4	3779	October 9, 2017
Painless script condition in watcher Elasticsearch elastic-stack-alerting	2	1206	June 12, 2017
No alert form array results Elasticsearch elastic-stack-alerting	14	3012	July 6, 2017

Specific Alarm Values : bulding an array of JSON elements in the condition scripts

Related topics