Watcher case

Good afternoon I'm trying to configure an alert in a unitary way, I mean, that from a field, I get out or equal to a term that I define; what I need is a term that I ask from the field "monitor.name.keyword" to get from that field a name that I put with a query term filter. This is the code and the error you give me in the output.

source code:

{

"trigger": {

"schedule": {

  "interval": "1h"

}

},

"input": {

"search": {

  "request": {

    "search_type": "query_then_fetch",

    "indices": [

      "agenteallot*"

    ],

    "rest_total_hits_as_int": true,

    "body": {

      "size": 0,

      "query": {

        "bool": {

          "filter": {

            "range": {

              "@timestamp": {

                "gte": "{{ctx.trigger.scheduled_time}}||-5m",

                "lte": "{{ctx.trigger.scheduled_time}}",

                "format": "strict_date_optional_time||epoch_millis"

              }

            }

          }

        }

      },

      "aggs": {

        "bucketAgg": {

          "terms": {

            "field": "monitor.name.keyword",

            "query": {

                "bool":{

                    "filter":{

                        "term":{

                            "monitor.name.keyword": "13-1-CAV30CI971650-CALLE_58-PPAL-20M-99.8"

                        }}

                }

            }

          },

          "aggs": {

            "metricAgg": {

              "max": {

                "field": "summary.up"

              }

            }

          }

        }

      }

    }

  }

}

},

"condition": {

"script": {

  "source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value >= params.threshold) { return true; } } return false;",

  "lang": "painless",

  "params": {

    "threshold": 0.8

  }

}

},

"actions": {

"email_1": {

  "email": {

    "profile": "standard",

    "attach_data": {

      "format": "yaml"

    },

    "to": [

      "juan.jaramillo@megadvantage.com",

      "victor.vera@megadvantage.com"

    ],

    "subject": "{{ctx.metadata.name}} {{ctx.payload.results}}",

    "body": {

      "text": """Buen dia, Adjunto registro del reporte.

:warning:ALERTA NODO!!! El siguiente enlace perdió la conexión.

Estado: Down🔴

Nombre del Enlace: {{ctx.payload.results}}

:clock1230:Hora: {{ctx.execution_time}}

Área: Networking

:bell:Mensaje Alerta: El enlace ha dejado de responder. Responder correo a telecomunicaciones@udistrital.edu.co

Ingrese aquí para más información: https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/distrital/app/uptime#"""

    }

  }

}

},

"transform": {

"script": {

  "source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = arr[i]['metricAgg'].value; if (filteredHit.value >= params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",

  "lang": "painless",

  "params": {

    "threshold": 0.8

  }

}

}

}

Output Code:

{ "watch_id":
" inlined ",
"node":
"ELuSGxpSRICZb2ZHJp4paA",
"state":
"failed",
"user":
"elastic",
"status":
{ "state":
{ "active":
true,
"timestamp":
"2020-10-05T19:37:36.293Z"
}, "actions":
{ "email_1":
{ "ack":
{ "timestamp":
"2020-10-05T19:37:36.293Z",
"state":
"awaits_successful_execution"
} } }, "execution_state":
"failed",
"version":
-1
}, "trigger_event":
{ "type":
"manual",
"triggered_time":
"2020-10-05T19:37:36.293Z",
"manual":
{ "schedule":
{ "scheduled_time":
"2020-10-05T19:37:36.293Z"
} } }, "input":
{ "search":
{ "request":
{ "search_type":
"query_then_fetch",
"indices":
[ "agenteallot*"
], "rest_total_hits_as_int":
true,
"body":
{ "size":
0,
"query":
{ "bool":
{ "filter":
{ "range":
{ "@timestamp":
{ "gte":
"{{ctx.trigger.scheduled_time}}||-5m",
"lte":
"{{ctx.trigger.scheduled_time}}",
"format":
"strict_date_optional_time||epoch_millis"
} } } } }, "aggs":
{ "bucketAgg":
{ "terms":
{ "field":
"monitor.name.keyword",
"query":
{ "bool":
{ "filter":
{ "term":
{ "monitor.name.keyword":
"13-1-CAV30CI971650-CALLE_58-PPAL-20M-99.8"
} } } } }, "aggs":
{ "metricAgg":
{ "max":
{ "field":
"summary.up"
} } } } } } } } }, "condition":
{ "script":
{ "source":
"ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets;
for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value >= params.threshold) { return true; } } return false;",
"lang":
"painless",
"params":
{ "threshold":
0.8
} } }, "metadata":
{ "name":
"Alerta caída enlace único2.0",
"xpack":
{ "type":
"json"
} }, "result":
{ "execution_time":
"2020-10-05T19:37:36.293Z",
"execution_duration":
1,
"input":
{ "type":
"search",
"status":
"failure",
"error":
{ "root_cause":
[ { "type":
"x_content_parse_exception",
"reason":
"[1:255] [terms] unknown field [query]"
} ], "type":
"x_content_parse_exception",
"reason":
"[1:255] [terms] unknown field [query]"
}, "search":
{ "request":
{ "search_type":
"query_then_fetch",
"indices":
[ "agenteallot*"
], "rest_total_hits_as_int":
true,
"body":
{ "size":
0,
"query":
{ "bool":
{ "filter":
{ "range":
{ "@timestamp":
{ "gte":
"2020-10-05T19:37:36.293728Z||-5m",
"lte":
"2020-10-05T19:37:36.293728Z",
"format":
"strict_date_optional_time||epoch_millis"
} } } } }, "aggs":
{ "bucketAgg":
{ "terms":
{ "field":
"monitor.name.keyword",
"query":
{ "bool":
{ "filter":
{ "term":
{ "monitor.name.keyword":
"13-1-CAV30CI971650-CALLE_58-PPAL-20M-99.8"
} } } } }, "aggs":
{ "metricAgg":
{ "max":
{ "field":
"summary.up"
} } } } } } } } }, "actions":
}, "messages":
[ "failed to execute watch input"
] }

THANKS!!

Hey,

this is really hard/impossible to read, can you properly format your snippets using markdown? This would help readability tremendously.

Also adding information about the version of the stack that you are using is also super helpful!

Thanks!

--Alex

ok I already format it and raise it better

I need to find a field and is equal to the value I specify, but I get that is an unknown field and I need the "monitor.name.keyword" is equal to "01-1-CAV30328203-DATOS-PPAL-2.7G-99.98" but I get error, I do not know if the condition or something, please help. here I leave the code.

{
  "trigger": {
    "schedule": {
      "interval": "1h"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "agenteallot*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-5m",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||basic_time_no_millis"
                  }
                }
              }
            }
          },
          "aggs": {
            "bucketAgg": {
            "query":{
                "bool":{"filter":{
                    "term":{
                        "monitor.name.keyword": "01-1-CAV30328203-DATOS-PPAL-2.7G-99.98"
                    }
                
                }
                }
              },
              "aggs": {
                "metricAgg": {
                  "max": {
                    "field": "summary.up"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value >= params.threshold) { return true; } } return false;",
      "lang": "painless",
      "params": {
        "threshold": 0.8
      }
    }
  },
  "actions": {
    "email_1": {
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          "juan.jaramillo@megadvantage.com",
          "victor.vera@megadvantage.com"
        ],
        "subject": "{{ctx.metadata.name}} {{ctx.payload.results}}",
        "body": {
          "text": """Buen dia, Adjunto registro del reporte.

 ⚠️ALERTA NODO!!! El siguiente enlace perdió la conexión. 

 Estado: Down🔴 

 Nombre del Enlace: {{ctx.payload.results}} 

 🕧Hora: {{ctx.execution_time}}  {{ctx.result.execution_time}}

 Área: Networking 

 🔔Mensaje Alerta: El enlace ha dejado de responder. Responder correo a telecomunicaciones@udistrital.edu.co 

 Ingrese aquí para más información: https://72dfe17217744236af40cc31b704a664.us-central1.gcp.cloud.es.io:9243/s/distrital/app/uptime#"""
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = arr[i]['metricAgg'].value; if (filteredHit.value >= params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
      "lang": "painless",
      "params": {
        "threshold": 0.8
      }
    }
  }
}

this is the error ...

simulation output:

{
  "watch_id": "_inlined_",
  "node": "ELuSGxpSRICZb2ZHJp4paA",
  "state": "failed",
  "user": "elastic",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2020-10-14T16:47:00.530Z"
    },
    "actions": {
      "email_1": {
        "ack": {
          "timestamp": "2020-10-14T16:47:00.530Z",
          "state": "awaits_successful_execution"
        }
      }
    },
    "execution_state": "failed",
    "version": -1
  },
  "trigger_event": {
    "type": "manual",
    "triggered_time": "2020-10-14T16:47:00.530Z",
    "manual": {
      "schedule": {
        "scheduled_time": "2020-10-14T16:47:00.530Z"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "agenteallot*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-5m",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||basic_time_no_millis"
                  }
                }
              }
            }
          },
          "aggs": {
            "bucketAgg": {
              "query": {
                "bool": {
                  "filter": {
                    "term": {
                      "monitor.name.keyword": "01-1-CAV30328203-DATOS-PPAL-2.7G-99.98"
                    }
                  }
                }
              },
              "aggs": {
                "metricAgg": {
                  "max": {
                    "field": "summary.up"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value >= params.threshold) { return true; } } return false;",
      "lang": "painless",
      "params": {
        "threshold": 0.8
      }
    }
  },
  "metadata": {
    "name": "Alerta caída enlace único2.2",
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2020-10-14T16:47:00.530Z",
    "execution_duration": 0,
    "input": {
      "type": "search",
      "status": "failure",
      "error": {
        "root_cause": [
          {
            "type": "named_object_not_found_exception",
            "reason": "[1:231] unknown field [query]"
          }
        ],
        "type": "named_object_not_found_exception",
        "reason": "[1:231] unknown field [query]"
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "agenteallot*"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": {
                  "range": {
                    "@timestamp": {
                      "gte": "2020-10-14T16:47:00.530267Z||-5m",
                      "lte": "2020-10-14T16:47:00.530267Z",
                      "format": "strict_date_optional_time||basic_time_no_millis"
                    }
                  }
                }
              }
            },
            "aggs": {
              "bucketAgg": {
                "query": {
                  "bool": {
                    "filter": {
                      "term": {
                        "monitor.name.keyword": "01-1-CAV30328203-DATOS-PPAL-2.7G-99.98"
                      }
                    }
                  }
                },
                "aggs": {
                  "metricAgg": {
                    "max": {
                      "field": "summary.up"
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "actions": []
  },
  "messages": [
    "failed to execute watch input"
  ]
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.