i am looking to create a watcher alert where i am alerted if there is no activity or logs for a service with in a time range . i have tried my bit but ending up with errors . here is the code for watcher alert
{
"trigger": {
"schedule": {
"interval": "2m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"tibco*"
],
"types": [],
"body": {
"size": 0,
"query": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30m",
"lt": "now"
}
}
},
{
"query_string": {
"default_field": "EnterpriseLogMessage.EnterpriseLoggingData.0.ServiceName",
"query": "DataAcess-ProcessCRMData"
}
}
]
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"lt": 1
}
}
},
"actions": {
"notify-evanios-down": {
"webhook": {
"scheme": "http",
"host": "10.3.52.14",
"port": 5023,
"method": "post",
"path": "/eventlistener/createEvent",
"params": {},
"headers": {
"Content-Type": "text/xml"
},
"body": "<?xml version=\"1.0\" encoding=\"UTF-8\"?> <events> <passkey>kibana</passkey> <event> <u_event_type>u_event</u_event_type> <u_severity>1</u_severity> <u_objectname>This is a test alert.</u_objectname> <u_application>Horizon</u_application> <u_description>This is a test alert.</u_description> <u_extrastr2>This is a test alert.</u_extrastr2> <u_message>This is a test alert. Escalate to satishkumar.baratam@asurion.com.</u_message> </event> </events>"
}
}
}
}
Part of the output when simulating the watch, with the range as configured above is the following:
"input": {
"type": "search",
"status": "failure",
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[filter] query malformed, no start_object after query name",
"line": 1,
"col": 29
}
],
"type": "parsing_exception",
"reason": "[filter] query malformed, no start_object after query name",
"line": 1,
"col": 29
},