Hello !
I'm actually trying to monitor some url and return its status if error. I am ok with that and I added a throttle_period = 10m to prevent spam (my interval is 1m) but if a new url fall in this period I will get the information too late. So is it possible to have a throttle period but allow url change bypass it ?
Here my watch:
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"heartbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-5m",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
]
}
},
"aggs": {
"status_terms": {
"terms": {
"field": "http.response.status_code",
"order": {
"_key": "asc"
}
},
"aggs": {
"test": {
"terms": {
"field": "url.full"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.status_terms.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i].key > params.threshold) { return true; } } return false;",
"lang": "painless",
"params": {
"threshold": 299
}
}
},
"actions": {
"slack_1": {
"throttle_period_in_millis": 600000,
"foreach": "ctx.payload.results",
"max_iterations": 100,
"slack": {
"message": {
"text": "URL: {{ctx.payload.value}}\nSTATUS_CODE: {{ctx.payload.key}}"
}
}
}
},
"transform": {
"script": {
"source": "HashMap result=new HashMap();ArrayList arr=ctx.payload.aggregations.status_terms.buckets;ArrayList filteredHits=new ArrayList();for(int i=0;i<arr.length;i++){if(arr[i].key>params.threshold){for(int j=0;j<arr[i].test.buckets.length;j++){HashMap filteredHit=new HashMap();filteredHit.key=arr[i].key;filteredHit.value=arr[i].test.buckets[j].key;filteredHits.add(filteredHit); } } } result.results=filteredHits;return result;",
"lang": "painless",
"params": {
"threshold": 299
}
}
}
}