Hi All,
I'm fairly new to watchers (just started to learn about it yesterday, and I'm quite in a problem here wherein I want to know if the value of the doc_count is greater than 10 ( for example ) and would hopefully alert me if it sees one, And I would like elastic to return the key and doc count so that I could print it out on the alert that the watcher would send.
{
"watch_id": "_inlined_",
"node": "YzbnaAY1R1OP1vGWCvn33A",
"state": "executed",
"user": "rolf.nufable",
"status": {
"state": {
"active": true,
"timestamp": "2020-06-04T20:39:56.773Z"
},
"last_checked": "2020-06-04T20:39:56.774Z",
"last_met_condition": "2020-06-04T20:39:56.774Z",
"actions": {
"my-logging-action": {
"ack": {
"timestamp": "2020-06-04T20:39:56.774Z",
"state": "ackable"
},
"last_execution": {
"timestamp": "2020-06-04T20:39:56.774Z",
"successful": true
},
"last_successful_execution": {
"timestamp": "2020-06-04T20:39:56.774Z",
"successful": true
}
}
},
"execution_state": "executed",
"version": -1
},
"trigger_event": {
"type": "manual",
"triggered_time": "2020-06-04T20:39:56.774Z",
"manual": {
"schedule": {
"scheduled_time": "2020-06-04T20:39:56.774Z"
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"evolve-test2"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"match": {
"type": "DEVICE_NOT_ASSIGNED_TO_GATEWAY_ERROR"
}
},
"aggs": {
"Unique_devices": {
"terms": {
"field": "deviceId.keyword",
"size": 10
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 20
}
}
},
"metadata": {
"name": "Evolve Watcher Test",
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2020-06-04T20:39:56.774Z",
"execution_duration": 3,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 1,
"failed": 0,
"successful": 1,
"skipped": 0
},
"hits": {
"hits": [],
"total": 347,
"max_score": null
},
"took": 1,
"timed_out": false,
"aggregations": {
"Unique_devices": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 13,
"buckets": [
{
"doc_count": 138,
"key": "Device1_14_10976_6nFqkD"
},
{
"doc_count": 34,
"key": "Device2_14_11881_4mZoSF"
},
{
"doc_count": 34,
"key": "Device2_14_17783_9wrQuC"
},
{
"doc_count": 32,
"key": "Device2_14_10384_SlVk7X"
},
{
"doc_count": 25,
"key": "deviceAssignedToOtherClinic"
},
{
"doc_count": 22,
"key": "Device1_14_14559_0Mwm1I"
},
{
"doc_count": 16,
"key": "Device1_14_18943_ZJ0zlv"
},
{
"doc_count": 12,
"key": "invalidId"
},
{
"doc_count": 11,
"key": "notAssignedGateway"
},
{
"doc_count": 10,
"key": "notAssignedDevice"
}
]
}
}
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"evolve-test2"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"match": {
"type": "DEVICE_NOT_ASSIGNED_TO_GATEWAY_ERROR"
}
},
"aggs": {
"Unique_devices": {
"terms": {
"field": "deviceId.keyword",
"size": 10
}
}
}
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": true,
"compare": {
"resolved_values": {
"ctx.payload.hits.total": 347
}
}
},
"actions": [
{
"id": "my-logging-action",
"type": "logging",
"status": "success",
"logging": {
"logged_text": "There are 347 documents in your index. Threshold is 20."
}
}
]
},
"messages": []
}
This is my basic watcher code. So basically I want to dig into the buckets.doc_count and get its value and check it, if its greater than ten, then watcher should Alert me.
I tried scouring the internet for answers ( mostly on this forum too ) and came across some answers like these :
{{#ctx.payload.aggregations.Unique_devices.buckets}}{{doc_count}}
{{/ctx.payload.aggregations.Unique_devices.buckets}}
I'm not really sure how to use this code on the condition part. Though I used this on the action part and it listed all the keys that are found in the bucket
or
"script":{
"source": "int i; for(i=0; i< ctx.payload.aggregations.Unique_devices.buckets.size(); i+=1) { if( ctx.payload.aggregations.Unique_devices.buckets.[i].doc_count > 10){ return ctx.payload.aggregations.Unique_devices.buckets.[i].key}}","lang": "painless"}
But obviously that did not work....
Please guide me to the right path here, because I'm really clueless as of the moment.