Hi All,
I created below watcher and although I do get results I am wondering if the condition is working as I would expect it to be.
I get the top 5 hdr_subjects trough a aggregate. Currently I think that if one of the 5 uniq hdr_subjects is above 10 it will return true and the script is done and the action is executed. Is this correct?
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"clog-*"
],
"types": [
"logs"
],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "program:GW AND EnvID:ukmail-mxin AND _exists_:hdr_subject",
"analyze_wildcard": true
}
},
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lte": "now"
}
}
}
],
"must_not": []
}
},
"aggs": {
"subjects": {
"terms": {
"field": "hdr_subject.keyword",
"size": 5,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
},
"condition": {
"script": {
"inline": "if (ctx.payload.hits.total < 1) return false; for(int i=0; i < ctx.payload.aggregations.subjects.buckets.size(); i++) if (ctx.payload.aggregations.subjects.buckets[i].doc_count > 10) return true",
"lang": "painless"
}
},
"actions": {
"standard_account": {
"throttle_period_in_millis": 900000,
"email": {
"profile": "standard",
"attachments": {
"attached_data": {
"data": {
"format": "json"
}
},
"dashboard.pdf": {
"reporting": {
"url": "http://localhost:5601/api/reporting/generate/dashboard/5bcaf390-71eb-11e7-ae4e-e7e0ad2f3161"
}
}
},
"priority": "high",
"to": [
"xxxx@xxx.com"
],
"subject": "Possible spam run detected. Encountered {{ctx.payload.hits.total}} subjects in 5 minutes",
"body": {
"text": "Too many error in the system, see attached data"
}
}
}
}
}