Using Bucket Fields in Watcher

ntran · August 16, 2019, 7:39pm

Hi,

My goal: To create an alert that tells me when a customer has not received a log.

My problem: The name of the customer is within an aggregated field.

My question: How do I retrieve the customer name and how can I incorporate this changing field into in the action?

// Below is my watcher thus far

gist.github.com

https://gist.github.com/nhtrn/df2ccf1d0e81136e3daf964e8ecfccaa

gistfile1.txt

PUT _watcher/watch/test
{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {

This file has been truncated. show original

// Below is the aggregated query. Is it possible to retrieve the "key" field and have it appear in my action?

gist.github.com

https://gist.github.com/nhtrn/0af1ca7e359b2a40a2ecc84ddf44d435

elasticsearchAggregatedField

"aggregations" : {
    "forward_to" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "EXPO",
          "doc_count" : 384860209
        }
      ]

This file has been truncated. show original

Any advice is greatly appreciated!
Thank you in advance

spinscale · August 19, 2019, 6:57am

please share the output of the Execute Watch API, which makes it a lot easier to follow your steps.

ntran · August 19, 2019, 8:23am

Hi @spinscale,

I have yet to do my "action" section, which is where I am struggling.
For the time being, I have put in a "text" action.

//Watcher Executed output

gist.github.com

https://gist.github.com/nhtrn/df5bdabc0384d47792756decdf2c41ff

watcherExecutedOutput

{
  "watch_id": "_inlined_",
  "node": "2wsFClF8QneXt9cuG_L1yw",
  "state": "execution_not_needed",
  "user": "ttran",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2019-08-19T08:21:14.483Z"
    },

This file has been truncated. show original

Thank you,
Nhung

ntran · August 19, 2019, 8:39am

I don't know if this is correct, but am I on somewhat on the right track?

// Watcher action

gist.github.com

https://gist.github.com/nhtrn/4500e15b30cee54ff14711596c26263f

action

"actions": {
    "log": {
      "logging": {
        "text": "{{ctx.payload.aggregations.managedobjectref.buckets.timerange.buckets.key}} has received {{ctx.payload.aggregations.managedobjectref.buckets.timerange.buckets.doc_count}} logs"

spinscale · August 19, 2019, 9:31am

I just realized we are talking across two threads here. I will stop replying to this one. Please keep it to a single thread. Thanks!

system · September 16, 2019, 9:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sub Aggregated Field \| Watcher Action Elasticsearch Elasticsearch	2	345	September 23, 2019
Watcher basics Looping into the bucket and processing its values Elasticsearch elastic-stack-monitoring , elastic-stack-alerting	2	1639	July 28, 2020
Using the payload data (fields) after aggregated to bucket, in Elastic Watcher Action email Elasticsearch elastic-stack-alerting	4	1174	April 26, 2022
Problem extracting buckets Elasticsearch elastic-stack-alerting	2	1095	July 6, 2017
How to use aggregation fields in Watcher action body (with foreach loop)? Elasticsearch	2	912	September 7, 2022

Using Bucket Fields in Watcher

Related topics