Hello,
I would like to ask for help. I would like to have a watcher that would find the difference between 2 buckets keys.
The goal is to find out if there is a difference in the values of the HOST field now and some time ago and send this difference by email.
Here is what I want:
values:
latest5: aa, bb, cc
previous5: aa,bb
result will be cc
Value cc is missing. It is situation, that I need send email.
I have result (from watcher action):
"text": """PREVIOUS {{ctx.payload.aggregations.five_min.buckets.previous5.number_of_values.buckets}}
NOW {{ctx.payload.aggregations.five_min.buckets.latest5.number_of_values.buckets}} """
PREVIOUS {0={doc_count=2246, key=aa}, 1={doc_count=1209, key=bb}, 2={doc_count=1209, key=cc}}
NOW {0={doc_count=1530, key=aa}, 1={doc_count=744, key=bb}}
How can I compare these 2 buckets.keys arrays?
Here is watcher:
{
"trigger": {
"schedule": {
"interval": "20s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"yyyyy"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "now-120m",
"to": "now"
}
}
}
}
},
"aggs": {
"five_min": {
"filters": {
"filters": {
"latest5": {
"range": {
"@timestamp": {
"gte": "now-20m",
"lte": "now"
}
}
},
"previous5": {
"range": {
"@timestamp": {
"gte": "now-120m",
"lt": "now-60m"
}
}
}
}
},
"aggs": {
"number_of_values": {
"terms": {
"field": "host"
}
}
}
}
}
}
}
}
},
"condition": {
"always": {}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"xxxxx"
],
"subject": "testtest1",
"body": {
"text": """PREVIOUS {{ctx.payload.aggregations.five_min.buckets.previous5.number_of_values.buckets}}
NOW {{ctx.payload.aggregations.five_min.buckets.latest5.number_of_values.buckets}} """
}
}
}
}
}
Thank you so much. 