Hi All,
I am new to Elastic (v. 6.5) and got stuck in watcher email alert. I have below two issues,
-
Email is printing only server names and not its cpu usage.
-
Threshold filter of 70% not getting applied.
Any help is highly appreciated.PUT _xpack/watcher/watch/DU-test
{
"trigger": {
"schedule": {
"interval": "60m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-*"
],
"types": ,
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "now-15m",
"lte": "now",
"format": "epoch_millis"
}
}
},
"should": [
{
"match_phrase": {
"host.name": "app08"
}
},
{
"match_phrase": {
"host.name": "app09"
}
},
{
"match_phrase": {
"host.name": "app10"
}
}
],
"minimum_should_match": 1
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "host.name",
"size": 10,
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"max": {
"field": "system.cpu.system.pct"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"lang": "painless",
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value > params.threshold) { return true; } } return false;","params": { "threshold": 0.70 } }},
"actions": {
"email_1": {
"email": {
"profile": "standard",
"priority": "high",
"to": [ "xyz@ab.com" ],
"subject": "CPU Details",
"body": {
"html": "Below are details:- {{#ctx.payload.aggregations.bucketAgg.buckets}}
- {{key}} {{/ctx.payload.aggregations.bucketAgg.buckets}}
}
}
}
},
"metadata": {
"color": "red"
}
}-------------------------Dev Tools----Trimmed -Output----------------------------------------
"result" : { "execution_time" : "2019-02-04T04:56:47.962Z", "execution_duration" : 146, "input" : { "type" : "search", "status" : "success", "payload" : { "_shards" : { "total" : 33, "failed" : 0, "successful" : 33, "skipped" : 0 }, "hits" : { "hits" : [ ], "total" : 4304, "max_score" : 0.0 }, "took" : 3, "timed_out" : false, "aggregations" : { "bucketAgg" : { "doc_count_error_upper_bound" : 0, "sum_other_doc_count" : 0, "buckets" : [ { "doc_count" : 1503, "metricAgg" : { "value" : 0.847 }, "key" : "app09" }, { "doc_count" : 1440, "metricAgg" : { "value" : 0.618 }, "key" : "app10" }, { "doc_count" : 1361, "metricAgg" : { "value" : 0.516 }, "key" : "app08" } ] } } }, #trimmed "condition" : { "type" : "script", "status" : "success", "met" : true }, "actions" : [ { "id" : "email_1", "type" : "email", "status" : "success", "email" : { "account" : "standard", "message" : { "id" : "email_1_DU-test_f982fcbb-b04f-40f7-b494-7abb6948842e-2019-02-04T04:56:47.962Z", "from" : "xyz@abc.com", "priority" : "high", "sent_date" : "2019-02-04T04:56:47.966Z", "to" : [ "xyz@ab.com" ], "subject" : "CPU Details", "body" : { "html" : "Found events matching Open Source: <ul><li>app09</li><li>app10</li><li>app08</li></ul>" } } } } ] }, "messages" : [ ]}
}