Watcher auto acknowledgment, throttle_period reset

Elastic Stack Elasticsearch
1

This has been discussed earlier. In my case I need oneshot messages for PROBLEM (hits < N) and OK (hist =>N).
Throttling with large time period will not help in this situation, since condition=false doesn't reset throttle_period (not for actions https://github.com/elastic/elasticsearch/issues/27358 , not for watcher ) . So, throttle-reset or auto-ack options would solve this problem.
For now I have to create 1 watcher with 3 actions: OK action, PROBLEM action, ACK action (webhook to elasticsearch itself). Looks like this:

 "condition": {
    "always": {}
  },
  "actions": {
    "notify-slack-problem": {
      "condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "lte": 150
          }
        }
      },
      "slack": { ... }
      }
    },
    "notify-slack-ok": {
      "condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "gt": 150
          }
        }
      },
      "slack": { ... }
    },
    "ack-slack": {
      "webhook": {
        "scheme": "http",
        "host": "localhost",
        "port": 9200,
        "method": "post",
        "path": "/_xpack/watcher/watch/{{ctx.watch_id}}/_ack/notify-slack-problem,notify-slack-ok",
        "params": {},
        "headers": {}
      }
    }
  }

This haven't been tested much, could there be a race problem (notify-slack-* get completed after ack-slack)? Also, this will not work with security-enabled installation (in that case second watcher could be created, anyway there will be plaintext credentials in watcher)... May be there is a better solution for all these?

2

It seems that 1 watcher doesn't work as I expect (action's condition doesn't reset acked state). But 2 watchers with opposite conditions seems to work (with limitations from previous message):

"condition": {
   "compare": {
     "ctx.payload.hits.total": {
       "gt": 150
     }
   }
 },
 "actions": {
   "notify-slack": { ...
   },
   "ack-slack": {
     "webhook": {
       "scheme": "http",
       "host": "localhost",
       "port": 9200,
       "method": "post",
       "path": "/_xpack/watcher/watch/{{ctx.watch_id}}/_ack",
       "params": {},
       "headers": {}
     }
   }
 }
3

what Elasticsearch version are you using?

4

5.6.4

5

if you need one-shot messages, wouldnt it work if you use a chained input, that gets/searches a specific document, and if that document exist, you do/do not execute any action?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.