Watcher for missing log event

ghost3h · June 10, 2019, 12:59pm

Hi, I'm trying to write a watcher for two specific hosts, for when we do not receive a log entry for them. I found a previous post looking for similar, which linked to this example. I've been trying to modify this to look for specific hostnames, with "MOL" in the name.

However it fails to trigger with error "failed to execute watch input". Modified code below.

{
  "metadata": {
    "window_period": "1h",
    "last_period":"8m"
  },
  "trigger": {
    "schedule": {
      "interval": "3m"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": [
          "perf-metrics-*"
        ],
        "types": [],
        "body": {
          "query": {
            "@timestamp": {
                "gte": "now-{{ctx.metadata.window_period}}"
              }
          },
          "aggs": {
            "periods": {
              "filters": {
                "filters": {
                  "history": {
                    "range": {
                      "@timestamp": {
                        "gte": "now-{{ctx.metadata.window_period}}"
                      }
                    }
                  },
                  "last_period": {
                    "range": {
                      "@timestamp": {
                        "gte": "now-{{ctx.metadata.last_period}}"
                      }
                    }
                  },
                  "match": {
                    "host": "*MOL*"
                  }
                }
              },
              "aggs": {
                "hosts": {
                  "terms": {
                    "field": "host",
                    "size": 10000
                  }
                }
              }
            }
          },
          "size": 0
        }
      }
    }
  },
  "condition": {
    "script": {
      "id": "condition"
    }
  },
  "actions": {
    "script": {
	    "lang": "painless",
	    "source": "return ctx.payload.aggregations.periods.buckets.history.hosts.buckets.size() > ctx.payload.aggregations.periods.buckets.last_period.hosts.buckets.size();"
	  }

}

spinscale · June 10, 2019, 1:13pm

please provide the output of the Execute Watch API to aid with further debugging. Thanks.

ghost3h · June 10, 2019, 1:42pm

So I found that issue was due to missing "range" in the query, fixed that and get this issue now.

{
  "watch_id": "Logstash_watcher",
  "node": "k3GzQ4XpT_q-VpDWytcURQ",
  "state": "failed",
  "user": "kanderson",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2019-06-10T13:49:10.977Z"
    },
    "actions": {
      "log": {
        "ack": {
          "timestamp": "2019-06-10T13:49:10.977Z",
          "state": "awaits_successful_execution"
        }
      }
    },
    "execution_state": "failed",
    "version": -1
  },
  "trigger_event": {
    "type": "schedule",
    "triggered_time": "2019-06-10T13:52:11.390Z",
    "schedule": {
      "scheduled_time": "2019-06-10T13:52:10.978Z"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "perf-metrics-*"
        ],
        "types": [],
        "body": {
          "query": {
            "range": {
              "@timestamp": {
                "gte": "now-{{ctx.metadata.window_period}}"
              }
            }
          },
          "aggs": {
            "periods": {
              "filters": {
                "filters": {
                  "history": {
                    "range": {
                      "@timestamp": {
                        "gte": "now-{{ctx.metadata.window_period}}"
                      }
                    }
                  },
                  "last_period": {
                    "range": {
                      "@timestamp": {
                        "gte": "now-{{ctx.metadata.last_period}}"
                      }
                    }
                  },
                  "match": {
                    "hostname": "*MOL*"
                  }
                }
              },
              "aggs": {
                "hosts": {
                  "terms": {
                    "field": "host",
                    "size": 10000
                  }
                }
              }
            }
          },
          "size": 0
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "return ctx.payload.aggregations.periods.buckets.history.hosts.buckets.size() > ctx.payload.aggregations.periods.buckets.last_period.hosts.buckets.size();",
      "lang": "painless"
    }
  },
  "metadata": {
    "last_period": "8m",
    "window_period": "1h",
    "name": "Logstash",
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2019-06-10T13:52:11.390Z",
    "execution_duration": 0,
    "input": {
      "type": "search",
      "status": "failure",
      "error": {
        "root_cause": [
          {
            "type": "parsing_exception",
            "reason": "[hostname] query malformed, no start_object after query name",
            "line": 1,
            "col": 221
          }
        ],
        "type": "parsing_exception",
        "reason": "[hostname] query malformed, no start_object after query name",
        "line": 1,
        "col": 221
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "perf-metrics-*"
          ],
          "types": [],
          "body": {
            "query": {
              "range": {
                "@timestamp": {
                  "gte": "now-1h"
                }
              }
            },
            "aggs": {
              "periods": {
                "filters": {
                  "filters": {
                    "history": {
                      "range": {
                        "@timestamp": {
                          "gte": "now-1h"
                        }
                      }
                    },
                    "last_period": {
                      "range": {
                        "@timestamp": {
                          "gte": "now-8m"
                        }
                      }
                    },
                    "match": {
                      "hostname": "*MOL*"
                    }
                  }
                },
                "aggs": {
                  "hosts": {
                    "terms": {
                      "field": "host",
                      "size": 10000
                    }
                  }
                }
              }
            },
            "size": 0
          }
        }
      }
    },
    "actions": []
  },
  "messages": [
    "failed to execute watch input"
  ]
}

spinscale · June 10, 2019, 2:10pm

before you put the query into a watch, please put it into a regular search request and check if it executes properly. it seems your filters aggregation is still off.

system · July 8, 2019, 2:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher, X amount of logs, per X host per hour Elasticsearch	2	517	March 23, 2020
Elasticsearch watcher Elasticsearch	1	311	August 21, 2018
Watcher advise in searching and filtering Elasticsearch	1	318	April 25, 2019
Need Help to write a watcher for alerting some beat.hostname missing on the last 1h or every day Elasticsearch elastic-stack-alerting	3	429	February 17, 2019
Alert When - system_fails_to_provide_data - dynamic group of sending hosts Logs	6	605	April 2, 2021

Watcher for missing log event

Related topics