Watcher for no log event

yago82 · November 8, 2022, 9:49am

Hello everybody,

I'm trying to create a watcher that counts the presence or absence of events for a set of applications. The condition should report all applications that have not received any logs / events within an hour. The main problem is that the bucket only considers applications that have at least 1 event. As a result, it does not report applications with 0 events.

This is the code I used:

{
  "trigger": {
    "schedule": {
      "interval": "60m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "INDEX_app"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "match_phrase": {
                    "kubernetes.namespace_name": "APP"
                  }
                }
              ],
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-60m",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||epoch_millis"
                  }
                }
              }
            }
          },
          "aggs": {
            "bucketAgg": {
              "terms": {
                "field": "kubernetes.container_image.keyword",
                "size": "5000",
                "order": {
                  "_count": "asc"
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i].doc_count <= params.threshold) { return true; } } return false;",
      "lang": "painless",
      "params": {
        "threshold": 0
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "from": "noreply-elk@EMAIL.COM",
        "to": [
          "XXX@XXX-Mail.com"
        ],
        "subject": "Alert 1: no log for app",
        "body": {
          "text": "{{ctx.payload}}"
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = arr[i].doc_count; if (filteredHit.value < params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
      "lang": "painless",
      "params": {
        "threshold": 0
      }
    }
  }
}

if the approach is wrong can you recommend another solution?

Thank you

nico33b_nico33b · November 10, 2022, 6:32pm

I would have done it like this:

create a referential of all the application using a Transform on the main index and store it in an index LIST_app (elastic.co/guide/en/elasticsearch/reference/current/transform-examples.html#transform-examples)
build a watcher with the chain feature and the following inputs:

query the list of application from index LIST_app
make the agg on the INDEX_app as you have done
use a transform script to cross the result of 1. & 2. to output only applications with no logs