Watcher, Alert all result of the payload, not only the first

Elastic Stack Elasticsearch
1

Im am quering a incident index..this index may contain documents separated by miliseconds, this is the query I have:

          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "message": "down"
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1m",
                      "lt": "now"
                    }
                  }
                }
              ]
            }
          }

This query may return sometime many incidentes, but watcher only return the first result of the payload

Is there a way to alert all the results on the payload?

2

You can change the number of results using the size parameter - however if there are thousands of results this will not work either.

Maybe if you add some context, we can see if we can achieve your problem. Try explaining your problem without mentioning any technology/queries/etc :slight_smile:

3

Hi @spinscale, sorry for the late reply,
I get syslogs from many machines, I got to alert whenever a syslog message contains the string: "down", so in the range of one minute, could be many matches of the string "down",
but it seems that watcher only get me the first match it finds.

Thanks!

4

You are typically not interested in single down events, but rather in grouping those, for example ten down events from a single node do not matter, but the nodename is important.

You may want to take a look at aggregations to properly solve this.

--Alex

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.