Watcher basics Looping into the bucket and processing its values

Hi All,

I'm fairly new to watchers (just started to learn about it yesterday, and I'm quite in a problem here wherein I want to know if the value of the doc_count is greater than 10 ( for example ) and would hopefully alert me if it sees one, And I would like elastic to return the key and doc count so that I could print it out on the alert that the watcher would send.

{
 "watch_id": "_inlined_",
   "node": "YzbnaAY1R1OP1vGWCvn33A",
   "state": "executed",
   "user": "rolf.nufable",
   "status": {
     "state": {
       "active": true,
       "timestamp": "2020-06-04T20:39:56.773Z"
     },
     "last_checked": "2020-06-04T20:39:56.774Z",
"last_met_condition": "2020-06-04T20:39:56.774Z",
"actions": {
  "my-logging-action": {
    "ack": {
      "timestamp": "2020-06-04T20:39:56.774Z",
      "state": "ackable"
    },
    "last_execution": {
      "timestamp": "2020-06-04T20:39:56.774Z",
      "successful": true
    },
    "last_successful_execution": {
      "timestamp": "2020-06-04T20:39:56.774Z",
      "successful": true
    }
  }
},
"execution_state": "executed",
"version": -1
   },
   "trigger_event": {
"type": "manual",
"triggered_time": "2020-06-04T20:39:56.774Z",
"manual": {
  "schedule": {
    "scheduled_time": "2020-06-04T20:39:56.774Z"
  }
}
   },
   "input": {
     "search": {
       "request": {
    "search_type": "query_then_fetch",
    "indices": [
      "evolve-test2"
    ],
    "rest_total_hits_as_int": true,
    "body": {
      "size": 0,
      "query": {
        "match": {
          "type": "DEVICE_NOT_ASSIGNED_TO_GATEWAY_ERROR"
        }
      },
      "aggs": {
        "Unique_devices": {
          "terms": {
            "field": "deviceId.keyword",
            "size": 10
          }
        }
      }
    }
  }
}
   },
   "condition": {
"compare": {
  "ctx.payload.hits.total": {
    "gte": 20
       }
     }
   },
   "metadata": {
     "name": "Evolve Watcher Test",
     "xpack": {
       "type": "json"
     }
   },
        "result": {
     "execution_time": "2020-06-04T20:39:56.774Z",
     "execution_duration": 3,
"input": {
  "type": "search",
  "status": "success",
  "payload": {
    "_shards": {
      "total": 1,
      "failed": 0,
      "successful": 1,
      "skipped": 0
    },
    "hits": {
      "hits": [],
      "total": 347,
      "max_score": null
    },
    "took": 1,
    "timed_out": false,
    "aggregations": {
      "Unique_devices": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 13,
        "buckets": [
          {
            "doc_count": 138,
            "key": "Device1_14_10976_6nFqkD"
          },
          {
            "doc_count": 34,
            "key": "Device2_14_11881_4mZoSF"
          },
          {
            "doc_count": 34,
            "key": "Device2_14_17783_9wrQuC"
          },
          {
            "doc_count": 32,
            "key": "Device2_14_10384_SlVk7X"
          },
          {
            "doc_count": 25,
            "key": "deviceAssignedToOtherClinic"
          },
          {
            "doc_count": 22,
            "key": "Device1_14_14559_0Mwm1I"
          },
          {
            "doc_count": 16,
            "key": "Device1_14_18943_ZJ0zlv"
          },
          {
            "doc_count": 12,
            "key": "invalidId"
          },
          {
            "doc_count": 11,
            "key": "notAssignedGateway"
          },
          {
            "doc_count": 10,
            "key": "notAssignedDevice"
          }
        ]
      }
    }
  },
  "search": {
    "request": {
      "search_type": "query_then_fetch",
      "indices": [
        "evolve-test2"
      ],
      "rest_total_hits_as_int": true,
      "body": {
        "size": 0,
        "query": {
          "match": {
            "type": "DEVICE_NOT_ASSIGNED_TO_GATEWAY_ERROR"
          }
        },
        "aggs": {
          "Unique_devices": {
            "terms": {
              "field": "deviceId.keyword",
              "size": 10
            }
          }
        }
      }
    }
  }
},
"condition": {
  "type": "compare",
  "status": "success",
  "met": true,
  "compare": {
    "resolved_values": {
      "ctx.payload.hits.total": 347
    }
  }
},
"actions": [
  {
    "id": "my-logging-action",
    "type": "logging",
    "status": "success",
    "logging": {
      "logged_text": "There are 347 documents in your index. Threshold is 20."
    }
  }
]
   },
   "messages": []
 }

This is my basic watcher code. So basically I want to dig into the buckets.doc_count and get its value and check it, if its greater than ten, then watcher should Alert me.

I tried scouring the internet for answers ( mostly on this forum too ) and came across some answers like these :

{{#ctx.payload.aggregations.Unique_devices.buckets}}{{doc_count}} 
{{/ctx.payload.aggregations.Unique_devices.buckets}}

I'm not really sure how to use this code on the condition part. Though I used this on the action part and it listed all the keys that are found in the bucket

or

 "script":{
     "source": "int i; for(i=0; i< ctx.payload.aggregations.Unique_devices.buckets.size(); i+=1) { if( ctx.payload.aggregations.Unique_devices.buckets.[i].doc_count > 10){ return ctx.payload.aggregations.Unique_devices.buckets.[i].key}}","lang": "painless"}

But obviously that did not work....

Please guide me to the right path here, because I'm really clueless as of the moment.

Hey,

so you need to use two different scripting languages, depending if you want to do some calculation or display it in an output. In the first case you use painless (for example in the condition), in the second case you would use mustache (for example in a logging output).

Regarding your check. You can use the min_doc_count parameter in the terms agg, and then all you need to check for, is the size of the buckets and if it is greater than 0 like (using scripting)

"condition": {
  "script": {
    "lang" : "painless",
    "source" : "return ctx.payload.aggregations.Unique_devices.buckets.size() > 0"
   }
 }

and then you are good to go.

Hope this helps!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.