Hello everybody,
I'm trying to create in Elastic (the cloud version) a trigger / alert that, based on the value of an index field, sends an email.
My index is, more or less, structured like this:
id timestamp
XX 2021-05-01 17:23
YY 2021-05-01 16:15
I would like to create an alert that, if the data is older than 10 minutes, a specific alert relating to the id will start, so:
"XX hasn't sent data for more than 10 minutes"
Hey,
so the idea of watcher here, is to create an elasticsearch query first, that returns the data you need - so we should probably work on this first. In your case it seems you are interested in the latest timestamp for certain ids. You can try with a max aggregation on the timestamp and use a terms aggregation on the id field, and also filter for your 10 minute window in your query and then check the number of buckets - this will however only work for up to 10k buckets.
hope that helps as a start
--Alex
Welcome to our community! 
There's a few examples here that might be of use - examples/Alerting/Sample Watches at master · elastic/examples · GitHub
Can you help me with the query?
Where can I put the query and activate the trigger?
The Create Watch API should help you.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.