Using two date ranges in one Watcher

Elastic Stack Elasticsearch
1

I have a group of indices (tracking-v1-*) containing documents representing parts of a fibre optic network (one document per day and construction crew). I want to create a Watcher that generates a daily report, showing the length of the infrastructure built on the previous day and in the current month. Is this possible?

I tried this:

PUT _watcher/watch/daily_report_dev
{
  "trigger" : { "schedule" : { "daily" : { "at" : "7:00" }}},
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": ["tracking-v1-*"],
        "rest_total_hits_as_int": true,
        "body": {
					"aggs": {
						"by_time_range": {
							"date_range": {
								"field": "sample_date",
								"ranges": [
									{
									"key": "last_day",
									"from": "now-1d/d",
									"to": "now/d"
									},
									{
									"key": "this_month",
									"from": "now/M",
									"to": "now"
									}
								]
							},
							"aggs": {
								"sum": {
									"sum": {
									"field": "progress_delta.infrastructure_length_total"
									}
								}
							}
						}
					}
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions" : {
		"my_webhook" : { 
			"webhook" : {
				"url" : "(redacted)",
				"method" : "POST",
				"body" : "{\"text\": \"Yesterday: {{ctx.payload.aggregations.by_time_range.last_day.sum.value}} meters \n\n this month: {{ctx.payload.aggregations.by_time_range.this_month.sum.value}}\"}"
			}
		}
	}
}

In the result, the aggregations are calculated correctly:

"aggregations" : {
            "by_time_range" : {
              "buckets" : [
                {
                  "from_as_string" : "2023-01-01",
                  "doc_count" : 71,
                  "to_as_string" : "2023-01-05",
                  "from" : 1.6725312E12,
                  "sum" : {
                    "value" : 921.7725545830864
                  },
                  "to" : 1.672918156753E12,
                  "key" : "this_month"
                },
                {
                  "from_as_string" : "2023-01-04",
                  "doc_count" : 19,
                  "to_as_string" : "2023-01-05",
                  "from" : 1.6727904E12,
                  "sum" : {
                    "value" : 72.34877394341495
                  },
                  "to" : 1.6728768E12,
                  "key" : "last_day"
                }
              ]
            }
          }

But the message looks like this:

Yesterday: meters
this month: meters

I also tried this:

PUT _watcher/watch/daily_report_dev
{
  "trigger" : { "schedule" : { "daily" : { "at" : "7:00" }}},
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": ["tracking-v1-*"],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
						"bool": {
							"must": [
								{
									"range": {
										"sample_date": {
											"gte": "now-1M"
										}
									}
								},
								{
									"range": {
										"sample_date": {
											"gte": "now-1d"
										}
									}
								}
							]
						}
					},
					"aggs": {
						"total_length_day": {
							"sum": {
								"field": "progress_delta.infrastructure_length_total"
							}
						},
						"total_length_month": {
							"sum": {
								"field": "progress_delta.infrastructure_length_total"
							}
						}
					}
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions" : {
		"my_webhook" : { 
			"webhook" : {
				"url" : "(redacted)",
				"method" : "POST",
				"body" : "{\"text\": \"Yesterday: {{ctx.payload.aggregations.total_length_day.value}} meters \n\n this month: {{ctx.payload.aggregations.total_length_month.value}} meters\"}"
			}
		}
	}
}

But in this case, there are no hits.

Do you have any idea how this could work? Or is it just not possible to use two different ranges in one Watcher?

2

Try

{{ctx.payload.aggregations. by_time_range.buckets.0.sum.value}}

and

{{ctx.payload.aggregations. by_time_range.buckets.1.sum.value}}

3

I guess monthly should be accessible like:

{{ctx.payload.aggregations.by_time_range.buckets[0].sum.value}}

and for daily:

{{ctx.payload.aggregations.by_time_range.buckets[1].sum.value}}

Essentially buckets is an array, you need to use the offset to read the particular element in the array.

4

Thank you! This worked. I was first confused by the order of results: They are sorted chronologically. So (as @Ayush_Mathur said) it's 0 for the month, 1 for the day, even though it was the other way around in my request.

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.