Watcher compare condition not generating any hits

Ajit_Bhingarkar · June 9, 2015, 8:14am

Hi,

I have configured 4 wathes; and see that they get triggered fine. However compare condition is not met and no action is taken. Can you pls advice if anything is wrong with these conditions?

I am attaching couple of snippets returned by get watcher history API. Will really appreciate any help or pointers.I have tried to mark relevant sections in bold.

Thanks,
Ajit

           "input": {"search": {"request":                {
              "search_type": "query_then_fetch",
              "indices": ["logstash-index"],
              "types": [],
              **"body": {"query": {"match": {"Battery Voltage Normal": "Low"}}}**
           }}},
           **"condition": {"compare": {"ctx.payload.hits.total": {"gt": 0}}},**
           "state": "execution_not_needed",
           "execution_result":                {
              "execution_time": "2015-06-08T18:45:27.351Z",
              "input": {"search":                   {
                 **"payload":                      {**
                    **"hits":                         {**
                       **"total": 0,**
                       "hits": [],
                       "max_score": null
                    },

           "input": {"search": {"request":                {
              "search_type": "query_then_fetch",
              "indices": ["logstash-index"],
              "types": [],
              **"body": {"query": {"filtered": {"filter": {"range": {"Temprature (C)": {"gte": 35}}}}}}**
           }}},
           **"condition": {"compare": {"ctx.payload.hits.total": {"gt": 0}}},**
           "state": "execution_not_needed",
           "execution_result":                {
              "execution_time": "2015-06-08T18:44:37.283Z",
              "input": {"search":                   {
                 **"payload":                      {**
                    **"hits":                         {**
                       **"total": 0,**
                       **"hits": [],**
                       "max_score": null
                    },

uboness · June 9, 2015, 8:21am

If you do a search outside of watcher, do you get any results for this?

GET logstash-index/_search
{
   "query": {
	   "match": { "Battery Voltage Normal": "Low" }
   }
}

ps, is "Battery Voltage Normal" really the field name?

Ajit_Bhingarkar · June 9, 2015, 8:35am

Thanks Uri.

Yes "Battery Voltage Normal" is the real field.

I tried GET /logstash-index/_search,and I did get following. It seems indexes have not been built for all of watches. How do I proceed now? Many thanks.

{
"took": 2,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 0,
"max_score": null,
"hits": []
}
}

uboness · June 9, 2015, 8:40am

so it seems to work fine, no?

The actions will only execute if the condition is met.
The condition will be met only if there are any search results ({"compare": {"ctx.payload.hits.total": {"gt": 0}}}).
since no search results are returned, the condition is not met and therefore the actions are not executing

Ajit_Bhingarkar · June 9, 2015, 8:41am

I got that now, but do I rebuild the indexes so that _search would return correct results?

Thanks,

Ajit_Bhingarkar · June 9, 2015, 8:43am

Also on cmd prompt I keep getting these messages, indicating watcher history is getting updated ok.

[2015-06-09 14:11:42,495][DEBUG][watcher.history ] [Boomer] successfull
y updated watch record [battery_voltage_low_error_watch_58-2015-06-09T08:41:42.4
80Z]
[2015-06-09 14:11:42,496][DEBUG][watcher.input.simple ] [Boomer] [DG_on_off_
watch_58-2015-06-09T08:41:42.480Z] found [DG_on_off_watch] hits
[2015-06-09 14:11:42,498][DEBUG][watcher.history ] [Boomer] successfull
y updated watch record [DG_on_off_watch_58-2015-06-09T08:41:42.480Z]
[2015-06-09 14:11:42,499][DEBUG][watcher.history ] [Boomer] successfull
y updated watch record [pilfered_fuel_watch_58-2015-06-09T08:41:42.480Z]
[2015-06-09 14:11:42,499][DEBUG][watcher.history ] [Boomer] successfull
y updated watch record [temp_high_error_watch_58-2015-06-09T08:41:42.480Z]

uboness · June 9, 2015, 8:48am

not sure what you mean by "rebuild the indexes", but watcher doesn't really care what indexes you're search, it just executes the search you configure.

If you index documents into the logstash-index and one of the documents will have a Battery Voltage Normal field with a Low value. Then the condition will be met and the actions will execute.

So in your case, it's all about populating the logstash-index with data.

Ajit_Bhingarkar · June 9, 2015, 8:50am

Yes. Thanks.

I am restarting everything. I had followed the procedure; created index; created watches, and uploaded data. Still logstash-index does not seem to have documents. I was wondering what could have gone wrong?

uboness · June 9, 2015, 8:55am

I'd focus on the "uploaded data" part before looking into watcher, your problem is somewhere there as even a simple search request doesn't return results. Once you index the data successfully and you see that a simple search request work, then your watch should work as well.

Ajit_Bhingarkar · June 9, 2015, 8:59am

I have dashboards built off that data, so all other indexes built in Kabana (one mapped to @timestamp), seem to be working fine.

I see an index for each day created for my records worth 6 months.

Let me do everything afresh and get back. Thanks again.

Ajit_Bhingarkar · June 9, 2015, 9:00am

One quick thing; should I use logstash-index created for watches also as part of logstash configuration while uploading data?

uboness · June 9, 2015, 9:02am

did you create logstash-index specially for watcher?

Ajit_Bhingarkar · June 9, 2015, 9:02am

Yes, just for watches.

uboness · June 9, 2015, 9:03am

so two questions:

are you populating it with data somehow?
why don't you simply search directly on the logstash indices (logstash-*)?

Ajit_Bhingarkar · June 9, 2015, 9:05am

No
In that cases do I need to recreate by watches to use one of the indexes I create in Kibana? logstash-* is one of them as well.This can happen only after data is uploaded though.

Thanks.

uboness · June 9, 2015, 9:08am

You can simply update your watch (change the index name to logstash-* and re-PUT the watch)... it doesn't need to wait for the data to be there... if there is no logstash-* then the search will return an error and the error will be stored as part of the watch record... once the index is there, the watch will executed as expected

Ajit_Bhingarkar · June 9, 2015, 9:10am

Will do. I have now cleaned up everything so it is little late, but I got the mistake I was doing.

Thank you very much.

uboness · June 9, 2015, 9:12am

no worries... good luck

Ajit_Bhingarkar · June 9, 2015, 9:34am

Just FYI...

logstash-* is not accepted as an index name through PUT index API.

{
"error": "InvalidIndexNameException[[logstash-] Invalid index name [logstash-], must not contain the following characters [\, /, *, ?, ", <, >, |, , ,]]",
"status": 400
}

uboness · June 9, 2015, 10:12am

yea.. you can't index to logstash-*, only search it. But if you're using logstash you don't need to worry about it as logstash takes care of creating (by default) daily indices in the form of logstash-2015.06.07, logstash-2015.06.08, logstash-2015.06.09, etc...

Searching on logstash-* will search all these indices