There is no match between one term and another in the result of a watcher

Juan_David_Jaramillo · September 27, 2021, 3:52pm

very good day,
I have a problem with an alert when I get a result of several terms, i.e. the first term does not match the second, for example.

As you can see in the red circle the term "ADUANILLA DE PAIBA" has the IP "10.80.10.101" and in the result when I run my watcher the same IP does not appear, I mean that it does not match, it comes out with another IP that does not correspond to it.


"actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__975a4c18-de54-4fee-862d-84d510bef85c-2021-09-27T15:50:33.947816Z_29049",
            "sent_date": "2021-09-27T15:50:33.953284Z",
            "to": [
              "juan.jaramillo@megadvantage.com",
              "victor.vera@megadvantage.com"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Estado UPS Distrital ",
            "body": {
              "text": "\n\n        El estado de la UPS ADUANILLA DE PAIBA con la IP 10.16.10.102 Esta Modo Normal\n\n\n          \n\n          •Para mas informacion ingrese al siguiente enlace:\n          \n          https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/distrital/app/kibana#/dashboard/c3aa6120-fba9-11eb-ab41-13c85c32210d\n          \n          "
            }
          }
        }
      }
    ]
  },
  "messages": []
}

Juan_David_Jaramillo · September 27, 2021, 3:53pm

Juan_David_Jaramillo · September 27, 2021, 3:53pm

This is my code:

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "ups-distrital*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-5m/m",
                    "lt": "now/m"
                  }
                }
              }
            }
          },
          "aggs": {
            "terms1": {
              "terms": {
                  "size": 1,
                "field": "Name.keyword"
              }
            },
            "terms2": {
              "terms": {
                  "size": 1,
                "field": "IP.keyword"
              }
            },
            "terms3": {
              "terms": {
                "field": "upsState.keyword"
              }
            },
            "metricAgg": {
              "max": {
                "field": "State"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.aggregations.metricAgg.value > params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 2
      }
    }
  },
  "actions": {
    "email_1": {
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          "juan.jaramillo@megadvantage.com",
          "victor.vera@megadvantage.com"
        ],
        "bcc": [
          "juancho.jaramillo16@gmail.com"
        ],
        "subject": "{{ctx.metadata.name}} ",
        "body": {
          "text": """

        El estado de la UPS {{ctx.payload.terms1.buckets.0.key}} con la IP {{ctx.payload.terms2.buckets.0.key}} Esta {{ctx.payload.terms3.buckets.0.key}}


          

          •Para mas informacion ingrese al siguiente enlace:
          
          https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/distrital/app/kibana#/dashboard/c3aa6120-fba9-11eb-ab41-13c85c32210d
          
          """
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": """
        return [
        'local_execution_time' : ctx.trigger.triggered_time.withZoneSameInstant(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')),
        'terms1' : ctx.payload.aggregations.terms1,
        'terms2' : ctx.payload.aggregations.terms2,
        'terms3' : ctx.payload.aggregations.terms3,
        'metricAgg' : ctx.payload.aggregations.metricAgg.value
          ]
      """,
      "lang": "painless"
    }
  }
}

system · October 25, 2021, 3:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher results returning similar terms instead of specific one Elasticsearch elastic-stack-alerting	6	1132	July 30, 2017
Watcher - show high-bytes by IP Elasticsearch	5	560	November 9, 2017
Watcher matching isn't working - any help? Elasticsearch elastic-stack-alerting	3	1037	July 6, 2017
Watcher results returning similar terms instead of specific one while using match query Elasticsearch	2	342	September 12, 2020
Error watcher with multiple terms and a metric Elasticsearch elastic-stack-alerting , painless	11	820	September 24, 2021

There is no match between one term and another in the result of a watcher

Related topics