Hi,
I have an app which returns different statuscodes based on URL being hit. I want to generate make a watcher alert based on the values in the same field with different outputs. I do not want the collective count/aggregated alerts. For example:
statuscode field can have values 220, 221, 222
the single alert should check each statuscode count separately
apply the threshold separately for each aggregated value
generate unique alert for each.
Currently I am using this which gives the collective count of each value. I want to separate the searched ctx.payloads.hits.total for each of the value
{
"trigger": {
"schedule": {
"interval": "30h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"custom*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "220 OR 221 OR 222"
}
},
{
"range": {
"@timestamp": {
"gte": "now-10m"
}
}
}
]
}
},
"_source": [
"StatusCode"
],
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 5
}
}
},
"actions": {
"notify-slack": {
"throttle_period_in_millis": 60000,
"slack": {
"message": {
"from": "watcher1",
"to": [
"#elastalert"
],
"text": "There are {{ctx.payload.hits.total}} error messages for node-app. Threshold is 5"
}
}
}
}
}