Stop Watcher after first alert

Elastic Stack Elasticsearch
1

Is there a way to stop watcher sending alerts after the first one?

so it only send alerts for new errors.

I tried adding a second conditions so its not only just checking for a payload grater than 1 but for ctx.execution_time < now-15s.

But the watcher doesn't like it when I try to add two conditions. Maybe I'm doing it wrong do I need to add a Boolean?

Time throttling does not work in this situation. Below is my watcher.

{
  "trigger": {
    "schedule": {
      "interval": "10s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "filebeat-*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-15s"
                    }
                  }
                },
                {
                  "match": {
                    "source": "/foo/bar"
                  }
                },
                {
                  "match": {
                    "foos": "foo"
                  }
                },
                {
                  "match": {
                    "foo": "foo"
                  }
                },
                {
                  "match": {
                    "foo": "foo"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 1
      }
    }
  },
  "actions": {
    "notify-slack": {
      "throttle_period_in_millis": 2000,
      "wmail": {
        "message": {
          "to": [
            "foo"
          ],
          "text": "foofoofoofoofoofoofoofoofoofoovfoofoofoofoofoofoo"
        }
      }
    }
  }
}
2

you can have more than one condition when using a script condition and writing a painless script. Another approach would be to query not only the last 15 seconds, but also the 15 second window before that and if that one was already true, you could decide not to execute this time. Note that this may miss an execution though.

4

I ended up useing the example from here. I filtered anything more than 25s and while setting the interval of the watcher to 20s.

It does only send one notification for that record before it leaves that 5 second window.

I have noticed that this is isn't perfect. It does miss a couple of records but for the most part it works to a satisfactory level.

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.