Watcher_help

Elastic Stack Elasticsearch
1

As I am new to elastic and wacther. Is the below watcher is correct to trigger for every 15 min for cduration >= 300000

{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"wdata_index"
],
"types": [],
"body": {
"query": {
"bool": {
"filter": [{
"range": {
"@date_time": {
"lte": "now"
}
}
}]
}
},
"aggs": {
"DatehHistogram": {
"date_histogram": {
"field": "date_time",
"interval": "15m"
},
"aggs": {
"duration": {
"sum": {
"field": "Cduration"
}
}
}
}
}
}
}
}
},
"condition": {
"array_compare": {
"ctx.payload.aggregations.DatehHistogram.buckets": {
"path": "duration.value",
"lge": {
"value": 300000,
"quantifier": "some"
}
}
}
},
"actions": {
"email_me": {
"throttle_period_in_millis": 600000,
"email": {
"profile": "standard",
"attachments": {
"cduration_report.pdf": {
"reporting": {
"url": "http:localhost:/xxxx",
"retries": 3,
"interval": "10s",
"auth": {
"basic": {
"username": "elastic"
}
}
}
}
},
"from": "xyz.abc@gmail.com",
"to": [
"xyz.abc@gmail.com"
],
"subject": "Drop in value",
"body": {
"html": "Detected CDuration less than per day value"
}
}
}
}
}

2

Hey,

you can use markdown for formatting in this forum, which makes it much easier to read code snippets.

If you want to start debugging your watch, the Execute Watch API is a huge helping tool to aid in debugging and reduce your testing cycles. This API allows you to get quick feedback how your watch executes and in addition allosw you also to emulate different search results, so that you can trigger the watch.

There is also a blog post explaining the art of watch writing and debugging, see https://www.elastic.co/blog/watching-the-watches-writing-debugging-and-testing-watches

Hope this helps! If there are problems, always add the output of the execute watch API to your posts, as this will help tremendously. Thanks!

--Alex

3

Following is the output

{
"_id": "Test_dur_88c6beca-5e52-4afe-8d83-db9903033ba4-2018-07-05T04:58:03.573Z",
"watch_record": {
"watch_id": "Test_dur",
"node": "CrVzval4RqeStU4se_vcFQ",
"state": "execution_not_needed",
"status": {
"state": {
"active": true,
"timestamp": "2018-07-04T04:51:28.393Z"
},
"last_checked": "2018-07-05T04:58:03.573Z",
"actions": {
"my-logging-action": {
"ack": {
"timestamp": "2018-07-04T04:51:28.393Z",
"state": "awaits_successful_execution"
}
}
},
"execution_state": "execution_not_needed",
"version": 50
},
"trigger_event": {
"type": "manual",
"triggered_time": "2018-07-05T04:58:03.573Z",
"manual": {
"schedule": {
"scheduled_time": "2018-07-05T04:58:03.573Z"
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"data_usage"
],
"types": []
},
"extract": [
"CDURATION"
]
}
},
"condition": {
"compare": {
"ctx.payload.CDURATION": {
"lte": 10
}
}
},
"metadata": {
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2018-07-05T04:58:03.573Z",
"execution_duration": 1,
"input": {
"type": "search",
"status": "success",
"payload": {},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"data_usage"
],
"types": []
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": false,
"compare": {
"resolved_values": {
"ctx.payload.CDURATION": null
}
}
},
"actions": []
},
"messages": []
}
}

4

Again, please use markdown for formatting, especially for code snippets. Reading unindented JSON is hard.

Your watch and your watch result do not match, meaning that those are two different watches. This snippet from the execute watch API shows, that you are having a different condition

"condition": {
"type": "compare",
"status": "success",
"met": false,
"compare": {
"resolved_values": {
"ctx.payload.CDURATION": null
}
}
}

there is no field named ctx.payload.CDURATION in the response that you are trying to access - your watch above mentions a different field.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.