Hi,
I have a few servers which supply the number of 'current active users' on those servers to my Elastic stack via Logstash.
I am trying to create a watch such that;
If the number of 'current active users' drops by 70% over a 5 minute period, then send an email alert.
So the basic logic looks like:
If currentActiveUsers(@time=now) < (0.3 * currentActiveUsers(@time=(now-5mins))), then send email alert.
Is this even possible?
The relevant parts of the Watch JSON looks like this but it definitely doesn't compile as is:
"input": {
"search": {
"request": {
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-5m",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "hostname.keyword",
"size": "10",
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"max": {
"field": "CurrentActiveSessions"
}
}
}
}
}
},
"indices": [
"<useful_index>"
]
}
}
}
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value{{ctx.trigger.scheduled_time}} < params.threshold * arr[i]['metricAgg'].value{{ctx.trigger.scheduled_time}}||-5m) { return true; } } return false;",
"params": {
"threshold": 0.3
}
}
}
"actions": {
"email_1": {
"email": {
"profile": "standard",
"to": [
"amStuck@sendHelpPls.com"
],
"subject": "Active Sessions Alert!",
"body": {
"text": "Active Sessions Alert!\nThe number of active sessions connected to {{ctx.payload.hostname.keyword}} has dropped 70% in the last 5 minutes."
}
}
}
}
The syntax in the condition statement is very wrong but I am not sure how to fix it
Any help is most appreciated,
Thank You!