Using two date ranges in one Watcher

mariusk · January 5, 2023, 1:59pm

I have a group of indices (tracking-v1-*) containing documents representing parts of a fibre optic network (one document per day and construction crew). I want to create a Watcher that generates a daily report, showing the length of the infrastructure built on the previous day and in the current month. Is this possible?

I tried this:

PUT _watcher/watch/daily_report_dev
{
  "trigger" : { "schedule" : { "daily" : { "at" : "7:00" }}},
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": ["tracking-v1-*"],
        "rest_total_hits_as_int": true,
        "body": {
					"aggs": {
						"by_time_range": {
							"date_range": {
								"field": "sample_date",
								"ranges": [
									{
									"key": "last_day",
									"from": "now-1d/d",
									"to": "now/d"
									},
									{
									"key": "this_month",
									"from": "now/M",
									"to": "now"
									}
								]
							},
							"aggs": {
								"sum": {
									"sum": {
									"field": "progress_delta.infrastructure_length_total"
									}
								}
							}
						}
					}
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions" : {
		"my_webhook" : { 
			"webhook" : {
				"url" : "(redacted)",
				"method" : "POST",
				"body" : "{\"text\": \"Yesterday: {{ctx.payload.aggregations.by_time_range.last_day.sum.value}} meters \n\n this month: {{ctx.payload.aggregations.by_time_range.this_month.sum.value}}\"}"
			}
		}
	}
}

In the result, the aggregations are calculated correctly:

"aggregations" : {
            "by_time_range" : {
              "buckets" : [
                {
                  "from_as_string" : "2023-01-01",
                  "doc_count" : 71,
                  "to_as_string" : "2023-01-05",
                  "from" : 1.6725312E12,
                  "sum" : {
                    "value" : 921.7725545830864
                  },
                  "to" : 1.672918156753E12,
                  "key" : "this_month"
                },
                {
                  "from_as_string" : "2023-01-04",
                  "doc_count" : 19,
                  "to_as_string" : "2023-01-05",
                  "from" : 1.6727904E12,
                  "sum" : {
                    "value" : 72.34877394341495
                  },
                  "to" : 1.6728768E12,
                  "key" : "last_day"
                }
              ]
            }
          }

But the message looks like this:

Yesterday: meters
this month: meters

I also tried this:

PUT _watcher/watch/daily_report_dev
{
  "trigger" : { "schedule" : { "daily" : { "at" : "7:00" }}},
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": ["tracking-v1-*"],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
						"bool": {
							"must": [
								{
									"range": {
										"sample_date": {
											"gte": "now-1M"
										}
									}
								},
								{
									"range": {
										"sample_date": {
											"gte": "now-1d"
										}
									}
								}
							]
						}
					},
					"aggs": {
						"total_length_day": {
							"sum": {
								"field": "progress_delta.infrastructure_length_total"
							}
						},
						"total_length_month": {
							"sum": {
								"field": "progress_delta.infrastructure_length_total"
							}
						}
					}
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions" : {
		"my_webhook" : { 
			"webhook" : {
				"url" : "(redacted)",
				"method" : "POST",
				"body" : "{\"text\": \"Yesterday: {{ctx.payload.aggregations.total_length_day.value}} meters \n\n this month: {{ctx.payload.aggregations.total_length_month.value}} meters\"}"
			}
		}
	}
}

But in this case, there are no hits.

Do you have any idea how this could work? Or is it just not possible to use two different ranges in one Watcher?

richcollier · January 5, 2023, 10:11pm

Try

{{ctx.payload.aggregations. by_time_range.buckets.0.sum.value}}

and

{{ctx.payload.aggregations. by_time_range.buckets.1.sum.value}}

Ayush_Mathur · January 6, 2023, 7:51am

I guess monthly should be accessible like:

{{ctx.payload.aggregations.by_time_range.buckets[0].sum.value}}

and for daily:

{{ctx.payload.aggregations.by_time_range.buckets[1].sum.value}}

Essentially buckets is an array, you need to use the offset to read the particular element in the array.

mariusk · January 6, 2023, 3:26pm

Thank you! This worked. I was first confused by the order of results: They are sorted chronologically. So (as @Ayush_Mathur said) it's 0 for the month, 1 for the day, even though it was the other way around in my request.

system · February 3, 2023, 3:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alerts for missing results during the last week Elasticsearch elastic-stack-alerting	2	273	January 30, 2023
Watcher multiple queries/ query within range field Elasticsearch elastic-stack-alerting	8	4564	December 19, 2016
Watcher: same query two different ranges (times) Elasticsearch elastic-stack-alerting	2	617	November 17, 2022
Watcher not work perfect Elasticsearch elastic-stack-monitoring , elastic-stack-alerting	4	336	November 2, 2020
Mixing Range aggregation and computing days between 2 dates? Elasticsearch	2	395	July 6, 2017

Using two date ranges in one Watcher

Related Topics