Watcher Not Trigger for CPU utilization

Pushpak_Bhawsar · June 22, 2018, 2:19am

Hello,

I am trying to set a metricbeat watcher to get CPU utilization for a host, but it is not triggering. Below is the JSON and the simulate result, Kindly suggest what am I missing or doing wrong:

JSON:

{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-wp-acc*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-5m",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "beat.hostname",
"size": 5,
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"avg": {
"field": "system.cpu.total.pct"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value > params.threshold) { return true; } } return false;",
"lang": "painless",
"params": {
"threshold": 0.3
}
}
},
"actions": {
"email_1": {
"email": {
"account": "gmail_account",
"profile": "gmail",
"to": [
"xyz@gmail.com"
],
"subject": "Watch [{{ctx.metadata.name}}] has exceeded the threshold",
"body": {
"text": "The hosts have exceeded the CPU threshold"
}
}
}
},
"metadata": {
"watcherui": {
"trigger_interval_unit": "m",
"agg_type": "avg",
"time_field": "@timestamp",
"trigger_interval_size": 1,
"term_size": 5,
"time_window_unit": "m",
"threshold_comparator": ">",
"term_field": "beat.hostname",
"index": [
"metricbeat-wp-access*"
],
"time_window_size": 5,
"threshold": 0.3,
"agg_field": "system.cpu.total.pct"
}
},
"transform": {
"script": {
"source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = arr[i]['metricAgg'].value; if (filteredHit.value > params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
"lang": "painless",
"params": {
"threshold": 0.3
}
}
}
}

Pushpak_Bhawsar · June 22, 2018, 2:23am

Simulate result:

{
"watch_id": "inlined",
"node": "_LuW32Y-RbeU2JuugU7NPQ",
"state": "execution_not_needed",
"status": {
"state": {
"active": true,
"timestamp": "2018-06-22T02:20:34.354Z"
},
"last_checked": "2018-06-22T02:20:34.361Z",
"actions": {
"email_1": {
"ack": {
"timestamp": "2018-06-22T02:20:34.354Z",
"state": "awaits_successful_execution"
}
}
},
"execution_state": "execution_not_needed",
"version": -1
},
"trigger_event": {
"type": "manual",
"triggered_time": "2018-06-22T02:20:34.358Z",
"manual": {
"schedule": {
"scheduled_time": "2018-06-22T02:20:34.358Z"
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-wp-access*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-5m",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "beat.hostname",
"size": 5,
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"avg": {
"field": "system.cpu.total.pct"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value > params.threshold) { return true; } } return false;",
"lang": "painless",
"params": {
"threshold": 0.3
}
}
},
"metadata": {
"name": "t22",
"watcherui": {
"trigger_interval_unit": "m",
"agg_type": "avg",
"time_field": "@timestamp",
"trigger_interval_size": 1,
"term_size": 5,
"time_window_unit": "m",
"threshold_comparator": ">",
"term_field": "beat.hostname",
"index": [
"metricbeat-wp-access*"
],
"time_window_size": 5,
"threshold": 0.3,
"agg_field": "system.cpu.total.pct"
},
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2018-06-22T02:20:34.361Z",
"execution_duration": 71,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 6,
"failed": 0,
"successful": 6,
"skipped": 0
},
"hits": {
"hits": [],
"total": 1131,
"max_score": 0
},
"took": 8,
"timed_out": false,
"aggregations": {
"bucketAgg": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 540,
"metricAgg": {
"value": 0.043533333333333334
},
"key": "wp-accessXXXXXXXXX-vm"
},
{
"doc_count": 591,
"metricAgg": {
"value": 0.013166666666666667
},
"key": "wp-accessXXXXXXXXXX-vm"
}
]
}
}
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-wp-access*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "2018-06-22T02:20:34.358Z||-5m",
"lte": "2018-06-22T02:20:34.358Z",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "beat.hostname",
"size": 5,
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"avg": {
"field": "system.cpu.total.pct"
}
}
}
}
}
}
}
}
},
"condition": {
"type": "script",
"status": "success",
"met": false
},
"actions": []
},
"messages": []
}

elastock · June 22, 2018, 12:55pm

Your treshold is 0.3
And your avg is 0.01 and 0.04
So logically if you do this
for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value > params.threshold) { return true; } } return false;"

then

system · July 24, 2018, 12:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.