Watcher 7.8 Do I have to modify the range of my query to match the timezone?

Elastic Stack Elasticsearch
1

Hi, I have create an alert whenever match a field, and Im having problems to make it work. the query works well in devs tools when I query for now-7d, but in the watch is never executed. this is my range

              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-60s",
                      "lte": "now"
                    }
                  }
                }

I was wondering if I have to modify the range to match my timezone, that is UTC -5?

2

Elasticsearch works on UTC, so you will likely need to adjust for that, yes.

1 Like
3

Mmmm seems that its not necessary, I have another alert identical to the one that has problems, with the same range, the only difference that match another phrase, and seems to work, I got the email , and the index has a document that match....

Sin título
Sin título809×532 35 KB

Now Im confused :thinking:

this is the watcher:

{
  "trigger": {
    "schedule": {
      "interval": "60s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metrics-syslog-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "match_phrase": {
                    "syslog_event.keyword": "HSRP-5-STATECHANGE"
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-60s",
                      "lte": "now"
                    }
                  }
                },
                {
                  "terms": {
                    "bcp_family.keyword": [
                      "Router ASR"
                    ]
                  }
                }
              ]
            }
          },
          "size": 5
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "send_email": {
      "throttle_period_in_millis": 60000,
      "transform": {
        "script": {
          "source": """
        DateTimeFormatter dtf = DateTimeFormatter.ofPattern(
        "yyyy/MM/dd HH:mm:ss");
return ['date': Instant.ofEpochMilli(OffsetDateTime.parse(ctx.payload.hits.hits.0._source['@timestamp']).toInstant().toEpochMilli()).atZone(ZoneId.of("America/Lima")).format(dtf), 'nodo': ctx.payload.hits.hits.0._source.node_name, 'message' : ctx.payload.hits.hits.0._source.syslog_message  ]""",
          "lang": "painless"
        }
      },
      "email": {
        "profile": "standard",
        "from": "net@mon.com",
        "to": [
          "my@mail"
        ],
        "subject": "%HSRP-5-STATECHANGE - {{ctx.payload.nodo}} - Alerta de Evento-Elastic",
        "body": {
          "html": """<html>
          ....
            </html>
            """
        }
      }
    }
  }
}
4

What happens internally here is, that your date with a timezone will be converted to UTC and then stored in Elasticsearch. If you are searching for now-5m it still has happened five minutes ago and this will be catered for. As long as you ensure the timezone is set when indexing (via the date or the mapping), all should be good.

Hope that helps to understand what happens here!

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.