I'm attempting to put together a JSON that will present the maximum value recorded against any host over a designated period.
However, although my syntax below parses without error, I am failing to see any entries at all being posted to email, even though I can clearly see the correct values being exposed when running a simulation.
I'd be grateful if anybody could point out the error of my ways below:
{
"trigger": {
"schedule": {
"interval": "60m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-*"
],
"types": ,
"body": {
"aggs": {
"host": {
"terms": {
"field": "host",
"order": {
"disk_usage": "asc"
}
},
"aggs": {
"disk_usage": {
"max": {
"field": "windows.perfmon.LogicalDiskF.FreeSpace.pct"
}
}
}
}
},
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.window_period}}"
}
}
},
{
"range": {
"windows.perfmon.LogicalDiskF.FreeSpace.pct": {
"gt": 0,
"lte": "{{ctx.metadata.threshold}}"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"email_me": {
"throttle_period_in_millis": 120000,
"email": {
"profile": "standard",
"attachments": {
"XXX_F_DRIVE_FREE_SPACE.json": {
"data": {
"format": "json"
}
}
},
"from": "123456@xxx.co.uk",
"to": [
"xxx.xx.xx@xxxxxxxxx.com"
],
"subject": "
ELASTIC ALERT: Free Disk Space on F",
"body": {
"html": "The following hosts have less than {{ctx.metadata.threshold}}% free disk space on the F: drive:
{{#ctx.payload.hosts}}
{{disk_usage}}%:{{/ctx.payload.hosts}}"
}
}
}
},
"metadata": {
"window_period": "60m",
"threshold": 5
}
}