Hello everybody,
I'm trying to create in Elastic (the cloud version) a trigger / alert that, based on the value of an index field, sends an email.
My index is, more or less, structured like this:
id timestamp
XX 2021-05-01 17:23
YY 2021-05-01 16:15
I would like to create an alert that, if the data is older than 10 minutes, a specific alert relating to the id will start, so:
"XX hasn't sent data for more than 10 minutes"
Hey,
so the idea of watcher here, is to create an elasticsearch query first, that returns the data you need - so we should probably work on this first. In your case it seems you are interested in the latest timestamp for certain ids. You can try with a max aggregation on the timestamp and use a terms aggregation on the id field, and also filter for your 10 minute window in your query and then check the number of buckets - this will however only work for up to 10k buckets.
hope that helps as a start
--Alex
Welcome to our community! 
There's a few examples here that might be of use - examples/Alerting/Sample Watches at master · elastic/examples · GitHub
Can you help me with the query?
Where can I put the query and activate the trigger?
The Create Watch API should help you.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.