Hi there,
I am looking to create an advanced watch where I am alerted when any docker container stops running on any VMs in a network. While I receive results back and during testing I am able to have the alert fire off correctly, the results that are appearing date too far back. Therefore I added a time range but for some reason am getting an error when doing so (below). Here is the code for the watcher alert:
{
"trigger": {
"schedule": {
"interval": "15s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat*"
],
"types": [],
"body": {
"size": 1,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "now-16h",
"lt": "now"
}
},
"match": {
"docker.info.containers.stopped": "1"
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.hits.0._source.host.name": {
"gte": "hgnode-*"
}
}
},
"actions": {
"email_admin": {
"email": {
"profile": "standard",
"to": [
"'john <johnsmith@gmail.com>'"
],
"subject": "{{ctx.payload.hits.hits.0._source.host.name}} is down",
"body": {
"text": "Go fix it!!!"
}
}
},
"my-logging-action": {
"logging": {
"level": "info",
"text": "There are {{ctx.payload.hits.hits.0._source.host.name}} documents in your index. Threshold is 10."
}
}
}
}
Part of the output when simulating the watch, with the range as configured above is the following:
"input": {
"type": "search",
"status": "failure",
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 1,
"col": 89
}
],
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 1,
"col": 89
},
Could someone please help me find what is wrong with the code that I have?
Thanks in advance!
Javier