Trying to create a watcher for 1 url

Elastic Stack Elasticsearch
1

Hi team,

I am using heartbeat to monitor some url's.
I am trying to create a watcher alert for 1 specific url but I get stuck. Here is my code:

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "heartbeat**" ],
        "body" : {
          "size" : 1,
          "sort" : {
            "@timestamp" : { "order" : "desc"}
          },
          "query": {
            "match" : {
                "url.domain" : {
                    "query" : "URL"
                }
            }
         } 
        }
      },
      "extract": [ "summary.down" ]
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "eq" : 1 }}
  },
  "actions": {
    "my_webhook": {
      "webhook": {
         "scheme": "https",
        "host": "",
        "port": 443,
        "method": "POST"
      }
    }
  }
}

So url.domain is a field. Which I am trying to match only one url to get the events of that.
Summary.down is a field which can contain a 1 or 0.

I hope somebody can help me with this.

Best regards,
Robin

2

Hey,

a couple of things.

  1. The indices do not need two asterisks
  2. If you want to filter for a service being down, add that to the query
  3. Also add a range timestamp filter, so you make sure that a service being down two weeks ago does not result in a hit or in an action being triggered.
  4. The condition should be greater than or equal and not equal

Furthermore, one of your best companions when trying to write a watch is the execute watch API which helps you to debug the execution of a watch and can be invoked easily, so you do not have the store/execute watch pattern anymore.

--Alex

3

Thanks for your response. I have rewrite my watcher:

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "heartbeat*" ],
        "body" : {
          "size" : 1,
          "sort" : {
            "@timestamp" : { "order" : "desc"}
          },
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-11s"
                     }
                    }
                  }
                ]
              },
              "dis_max": {
                "queries": [
                  { "match": { "url.domain": "<URL>" }},
                  { "match": { "summary.down": "1" }}
                ]
              } 
          }
      }
    }
  }
},
  "condition" : {
    "compare" : { "ctx.payload.hits.total.value" : { "eq" : 1 }}
  },
  "actions": {
    "my_webhook": {
      "webhook": {
        "scheme": "https",
        "host": "",
        "port": 443,
        "method": "GET"
      }
    }
  }
}

Now I am getting this error:
"[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",

How can I fix this, I don't understand the issue.

Best regards,
Robin

4

bool query has no support for dis_max, I guess you want to wrap that one into the must/should part?

See https://www.elastic.co/guide/en/elasticsearch/reference/7.6/query-dsl-bool-query.html

5

Thanks I fixed it with the must options and should options.

I see this in the output:

"condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total.value": null
        }
      }
    },

He should met but he gives me "false". That strange right?

6

please share the full output, I suppose that field does not exist in the response.

7 
{
  "watch_id": "_inlined_",
  "node": "5hq5hiasQxaOoUp-raT4pg",
  "state": "execution_not_needed",
  "user": "<USER>",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2020-03-19T20:02:25.556Z"
    },
    "last_checked": "2020-03-19T20:02:25.556Z",
    "actions": {
      "my_webhook": {
        "ack": {
          "timestamp": "2020-03-19T20:02:25.556Z",
          "state": "awaits_successful_execution"
        }
      }
    },
    "execution_state": "execution_not_needed",
    "version": -1
  },
  "trigger_event": {
    "type": "manual",
    "triggered_time": "2020-03-19T20:02:25.556Z",
    "manual": {
      "schedule": {
        "scheduled_time": "2020-03-19T20:02:25.556Z"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 1,
          "sort": {
            "@timestamp": {
              "order": "desc"
            }
          },
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-11s"
                    }
                  }
                }
              ],
              "must": {
                "term": {
                  "url.domain": "<URL>"
                }
              },
              "should": [
                {
                  "term": {
                    "summary.up": "1"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total.value": {
        "eq": 1
      }
    }
  },
  "metadata": {
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2020-03-19T20:02:25.556Z",
    "execution_duration": 7,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 4,
          "failed": 0,
          "successful": 4,
          "skipped": 0
        },
        "hits": {
          "hits": [
            {
              "_index": "heartbeat-7.4.2-2020.02.21-000004",
              "_type": "_doc",
              "_source": {
                "tcp": {
                  "rtt": {
                    "connect": {
                      "us": 26323
                    }
                  }
                },
                "summary": {
                  "up": 1,
                  "down": 0
                },
                "agent": {
                  "hostname": "HOST",
                  "id": "ID",
                  "type": "heartbeat",
                  "ephemeral_id": "ID",
                  "version": "7.4.2"
                },
                "resolve": {
                  "rtt": {
                    "us": 2266
                  },
                  "ip": "IP"
                },
                "monitor": {
                  "duration": {
                    "us": 147059
                  },
                  "ip": "IP",
                  "name": "HTTP_URL_CHECKS",
                  "id": "auto-http-0XEF9D542877AA9A74-9091f5efdb1e6549",
                  "check_group": "81f0345c-6a1c-11ea-a783-0050563ee8bd",
                  "type": "http",
                  "status": "up"
                },
                "url": {
                  "path": "PATH",
                  "scheme": "https",
                  "port": 443,
                  "domain": "<DOMAIN>",
                  "full": "<URL>"
                },
                "observer": {
                  "hostname": "HOST"
                },
                "@timestamp": "2020-03-19T20:02:15.366Z",
                "ecs": {
                  "version": "1.1.0"
                },
                "host": {
                  "name": "<NAME>"
                },
                "http": {
                  "rtt": {
                    "response_header": {
                      "us": 28207
                    },
                    "total": {
                      "us": 144661
                    },
                    "write_request": {
                      "us": 195
                    },
                    "content": {
                      "us": 411
                    },
                    "validate": {
                      "us": 28619
                    }
                  },
                  "response": {
                    "status_code": 200,
                    "body": {
                      "bytes": 3674,
                      "hash": "a71f5e3f7d7282d4ccb018e12aefa554a75b7e3d8df9a9326a01b470e3b58197"
                    }
                  }
                },
                "tls": {
                  "certificate_not_valid_before": "2019-01-09T11:38:33.000Z",
                  "rtt": {
                    "handshake": {
                      "us": 89524
                    }
                  },
                  "certificate_not_valid_after": "2021-01-09T11:48:00.000Z"
                },
                "event": {
                  "dataset": "uptime"
                }
              },
              "_id": "WcBj9HABu_F65M8Vpyg7",
              "sort": [
                1584648135366
              ],
              "_score": null
            }
          ],
          "total": 1,
          "max_score": null
        },
        "took": 4,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "heartbeat*"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "size": 1,
            "sort": {
              "@timestamp": {
                "order": "desc"
              }
            },
            "query": {
              "bool": {
                "filter": [
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "now-11s"
                      }
                    }
                  }
                ],
                "must": {
                  "term": {
                    "url.domain": "<URL>"
                  }
                },
                "should": [
                  {
                    "term": {
                      "summary.up": "1"
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total.value": null
        }
      }
    },
    "actions": []
  },
  "messages": []
}
8

Check the result.input.payload field, which contains your search response. It does not contain a hits.total.value field, but only a hits.total field.

9

Thanks Alexander! That has fix it :).

10

Can I also ask a question about the webhook which i am using to send a message to a twitter bot? Or should I open a new ticket for that?

11

please open a new discuss thread, if this is a new topic, that'll make it easier to for others to check if a thread had a proper solution.

Thanks!

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.