Hi folks, we've just upgraded to Elastic 5 over Dev, UAT and Live. I'm just looking at Watcher for the first time.
I've configured a simple query to look for HTTP 503 errors in our HAproxy access logs and report to our slack channel if there are more than 25 errors over a 5 minute period. Here is the JSON
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-haproxy_access-*"
],
"types": ,
"body": {
"query": {
"bool": {
"must": {
"match": {
"http_status_code": 503
}
},
"filter": {
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-5m",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 25
}
}
},
"actions": {
"notify-slack": {
"throttle_period_in_millis": 300000,
"slack": {
"account": "REMOVEDCHANNELNAME",
"message": {
"from": "kibana-dev",
"to": [
"#kibana-dev"
],
"attachments": [
{
"color": "danger",
"title": "HAPROXY 503 ERRORS",
"text": "Encountered {{ctx.payload.hits.total}} HTTP 503 errors in the last 5 minutes"
}
]
}
}
}
}
}
And what you see in slack
So far, so good.
However, what i'd like to do is to add a URL to the slack message which links back to the Watch History or a Watcher index so someone can clickthrough and investigate the messages, then mark the slack message as seen / green tick to indicate its been investigated.
I am not sure where to start. Any ideas?