I have configured 4 wathes; and see that they get triggered fine. However compare condition is not met and no action is taken. Can you pls advice if anything is wrong with these conditions?
I am attaching couple of snippets returned by get watcher history API. Will really appreciate any help or pointers.I have tried to mark relevant sections in bold.
I tried GET /logstash-index/_search,and I did get following. It seems indexes have not been built for all of watches. How do I proceed now? Many thanks.
not sure what you mean by "rebuild the indexes", but watcher doesn't really care what indexes you're search, it just executes the search you configure.
If you index documents into the logstash-index and one of the documents will have a Battery Voltage Normal field with a Low value. Then the condition will be met and the actions will execute.
So in your case, it's all about populating the logstash-index with data.
I am restarting everything. I had followed the procedure; created index; created watches, and uploaded data. Still logstash-index does not seem to have documents. I was wondering what could have gone wrong?
I'd focus on the "uploaded data" part before looking into watcher, your problem is somewhere there as even a simple search request doesn't return results. Once you index the data successfully and you see that a simple search request work, then your watch should work as well.
In that cases do I need to recreate by watches to use one of the indexes I create in Kibana? logstash-* is one of them as well.This can happen only after data is uploaded though.
You can simply update your watch (change the index name to logstash-* and re-PUT the watch)... it doesn't need to wait for the data to be there... if there is no logstash-* then the search will return an error and the error will be stored as part of the watch record... once the index is there, the watch will executed as expected
logstash-* is not accepted as an index name through PUT index API.
{
"error": "InvalidIndexNameException[[logstash-] Invalid index name [logstash-], must not contain the following characters [\, /, *, ?, ", <, >, |, , ,]]",
"status": 400
}
yea.. you can't index to logstash-*, only search it. But if you're using logstash you don't need to worry about it as logstash takes care of creating (by default) daily indices in the form of logstash-2015.06.07, logstash-2015.06.08, logstash-2015.06.09, etc...
Searching on logstash-* will search all these indices
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.