Watcher query current index by week

I'm trying to create a watcher that will query the current index and indexes are rolled over each week with a format of flows-2019.46. I'm having troubles trying to get that expression to work in a watcher and could use some help. The line in question is:

"flows-{now/d{xxxx.ww}}"

I've tried variations of {YYYY.ww} and now/M{xxxx.ww} but can't get any to work. Any suggestion is appreciated.

Hi @uklipse,

Let me look into this and I will get back with you.

So is the issue when you are trying to format the rollup to have that name? Or is it when you are trying to set the indices to watch, you are trying to find the name? Because when looking for the indices to watch, you would just need a wildcard like flows-*. It's only when creating the rollup job that you have to use the formatting for the name of the generated rollup indices.

It is when we are trying to set the indices to watch. It works if I use flows-* but this watcher runs every 30 minutes and I didn't want to search over all indexes for all time just the current one for performance reasons. Its purpose is to look back 1 hour and return a response if less than 10 hits are seen which would indicate something has stopped sending logs to this index.

The watcher has a compare condition to trigger if total hits are less than 10 (which triggers an alert) so if it sees more than 10 does it automatically stop searching and the compare condition fails and doens't trigger an alert?

Also thanks for the quick response!

I guess one way you can handle is to have the legacy data deleted or name changed so it no longer matches the wildcard expression once the new rollup is created.

When I run this watcher manually in dev tools, one of the fields it returns is execution_duration. In my case, it returns a value of 7. Do you know what scale that value is in?

I am not sure. Another way you can get this achieved is with an advanced watch.
But you should be able to do what you are asking in the UI.

https://www.elastic.co/guide/en/elasticsearch/reference/current/input-search.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.4/date-math-index-names.html

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.