Watcher Kibana : How can i use double condition in a "compare"

hmezoughi · March 5, 2019, 10:56pm

I want to compare two conditon to send an alert mail

My exemple :

  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "AUDITTIMESTAMP": {
              "gte": "now-15m"
            }
          }
        }
      ],
      "filter": [
        {
          "term": {
            "SERVICE_NAME": "my-service-name"
          }
        },
        {
          "term": {
            "STATE": "ERROR"
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 10
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard"

i want to add an another condition (total error >10) and a least 50 totals hits already on the last 15 minutes to firing alert ?

Thx

andres-perez · March 6, 2019, 5:55pm

Hi,

I don't understand well the extra condition you want to add

Your current input query looks for "ERROR" value for the field "STATE" from the last 15 minutes.

If you want to look for different data in the same watch, you can use chain inputs.

There is a thread in this forum with a full example: A watch alert example based on two different searches using CHAIN input and Painless script condition

For example, you can set

One search input named "errors" with your current query
Another one named "all_messages" with a similar query minus the "ERROR" filter to get all messages in the last 15 minutes.

Customize them with your desired searches.

Then, you may use a script condition to be able to evaluate two conditions.

Something like:

  "condition": {
    "script": {
      "source": "return ctx.payload.errors.hits.total >= 15 && ctx.payload.all_messages.hits.total >= 50",
      "lang": "painless"
    }

hmezoughi · March 6, 2019, 10:00pm

Hello andres-perez,

Thank you very very much, i customize your example condition and it work

Excuse me for my english if the presentation of my problem was not very clear (i am french )

hmezoughi · March 7, 2019, 11:16am

Last question : how to tranform ctx.payload.error.hits.totals to calculate the error percentage from the total number, for example, I accept 10% error on total calls

andres-perez · March 7, 2019, 4:46pm

You can operate directly with the values.

If you just use the integrated editor in kibana (which enforces the 1-line limit of JSON), you can write multiple statements separated with semicolons.

A condition roughly like ((errors * 100) / total_messages) >= 10 should be enough; you have to verify the proper syntax, operators, maybe data types... this is not a literal code example.

If you want to save the resulting percentage value, you can add elements to the watch execution context object whenever you use painless script.

The ctx.vars would be a good place to set new variables.

Again, a pseudocode-ish example

   "script": {
      "source": "ctx.vars.error_percentage = ctx.payload.errors.hits.total * 100 / ctx.payload.all_messages.hits.total; more statements separated by semicolons"

If this is part of the condition, then it must finish with a suitable evaluation:

"source": "...previous statements; return ctx.vars.error_percentage >= 10"

This way, you will be able to use this value later in the actions section (e.g. an email): "bla bla bla the system has registered {{ctx.vars.error_percentage}} % error rate"

J'espère que ça vous aidera

hmezoughi · March 7, 2019, 4:58pm

Thx Andreas,

I write like this ??

"condition": {
"script": {
"source": "return (ctx.payload.error_15m.hits.total * 100 / ctx.payload.all_15m.hits.total ) >= 10 && ctx.payload.all_15m.hits.total > 2000",
"lang": "painless"
}
},

hmezoughi · March 7, 2019, 10:43pm

Awesome guy, it work for me !

My final version

"condition": {
"script": {
"source": "ctx.vars.error_percentage = ctx.payload.error_15m.hits.total * 100 / ctx.payload.all_15m.hits.total; return ctx.vars.error_percentage >= 10 && ctx.payload.all_15m.hits.total > 2000",
"lang": "painless"
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"username@domain.fr"
],
"subject": "[Kibana - Alert - Grave] Test envoi alerte si % d'erreur > 10",
"body": {
"html": "Détection sur les 15 dernieres minutes de 10 % d'erreur ({{ctx.vars.error_percentage}} % error )
{{ctx.payload.error_15m.hits.total}} erreurs sur un TOTAL de : {{ctx.payload.all_15m.hits.total}} appels Merci de vérifier sur le Dashboard QOS "
}
}
}
}
}

system · April 4, 2019, 10:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.