Hi,
I am wondering if I can somehow make Watcher execute the action part of a watch multiple times. For example, I have a watch that would trigger when any instance is over 80% filesystem usage as reported by metricbeat. I'm wondering if I get back 3 instances being over the threshold, can I somehow make watcher execute the action 3 times, once for each? Take the following watch:
{
"trigger": {
"schedule": {
"interval": "3m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-5m"
}
}
},
{
"term": {
"metricset.name": "filesystem"
}
}
]
}
},
"aggs": {
"by_host": {
"terms": {
"field": "beat.name",
"size": "100"
},
"aggs": {
"avg_use": {
"avg": {
"field": "system.filesystem.used.pct"
}
},
"avg_use_filter": {
"bucket_selector": {
"buckets_path": {
"avgUse": "avg_use"
},
"script": "params.avgUse > 0.8"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "ctx.payload.aggregations.by_host.buckets.length > 0",
"lang": "painless"
}
},
"actions": {
"my-logging-action": {
"logging": {
"level": "info",
"text": "The following instances are over 80% disk use: {{#ctx.payload.aggregations.by_host.buckets}}{{key}},{{/ctx.payload.aggregations.by_host.buckets}}"
}
}
}
}
The above works in the sense of finding the correct results and outputting them, but it will only trigger the action once, for all of the results. This also means there is no way to throttle the actions individually per resource.