There is no match between one term and another in the result of a watcher

Juan_David_Jaramillo · September 27, 2021, 3:52pm

very good day,
I have a problem with an alert when I get a result of several terms, i.e. the first term does not match the second, for example.

As you can see in the red circle the term "ADUANILLA DE PAIBA" has the IP "10.80.10.101" and in the result when I run my watcher the same IP does not appear, I mean that it does not match, it comes out with another IP that does not correspond to it.


"actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__975a4c18-de54-4fee-862d-84d510bef85c-2021-09-27T15:50:33.947816Z_29049",
            "sent_date": "2021-09-27T15:50:33.953284Z",
            "to": [
              "juan.jaramillo@megadvantage.com",
              "victor.vera@megadvantage.com"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Estado UPS Distrital ",
            "body": {
              "text": "\n\n        El estado de la UPS ADUANILLA DE PAIBA con la IP 10.16.10.102 Esta Modo Normal\n\n\n          \n\n          •Para mas informacion ingrese al siguiente enlace:\n          \n          https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/distrital/app/kibana#/dashboard/c3aa6120-fba9-11eb-ab41-13c85c32210d\n          \n          "
            }
          }
        }
      }
    ]
  },
  "messages": []
}

Juan_David_Jaramillo · September 27, 2021, 3:53pm

Juan_David_Jaramillo · September 27, 2021, 3:53pm

This is my code:

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "ups-distrital*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-5m/m",
                    "lt": "now/m"
                  }
                }
              }
            }
          },
          "aggs": {
            "terms1": {
              "terms": {
                  "size": 1,
                "field": "Name.keyword"
              }
            },
            "terms2": {
              "terms": {
                  "size": 1,
                "field": "IP.keyword"
              }
            },
            "terms3": {
              "terms": {
                "field": "upsState.keyword"
              }
            },
            "metricAgg": {
              "max": {
                "field": "State"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.aggregations.metricAgg.value > params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 2
      }
    }
  },
  "actions": {
    "email_1": {
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          "juan.jaramillo@megadvantage.com",
          "victor.vera@megadvantage.com"
        ],
        "bcc": [
          "juancho.jaramillo16@gmail.com"
        ],
        "subject": "{{ctx.metadata.name}} ",
        "body": {
          "text": """

        El estado de la UPS {{ctx.payload.terms1.buckets.0.key}} con la IP {{ctx.payload.terms2.buckets.0.key}} Esta {{ctx.payload.terms3.buckets.0.key}}


          

          •Para mas informacion ingrese al siguiente enlace:
          
          https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/distrital/app/kibana#/dashboard/c3aa6120-fba9-11eb-ab41-13c85c32210d
          
          """
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": """
        return [
        'local_execution_time' : ctx.trigger.triggered_time.withZoneSameInstant(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')),
        'terms1' : ctx.payload.aggregations.terms1,
        'terms2' : ctx.payload.aggregations.terms2,
        'terms3' : ctx.payload.aggregations.terms3,
        'metricAgg' : ctx.payload.aggregations.metricAgg.value
          ]
      """,
      "lang": "painless"
    }
  }
}

system · October 25, 2021, 3:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.