Watcher Question

We would like to set up a watcher to continuously compare the latest sum of values by location and alert if the latest set of values are more than two standard deviations above historical data. The following is not working as expected.

PUT _watcher/watch/mywatcher
{
  "trigger": {
    "schedule": {
      "interval": "30s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "myindex"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "from": "now-10d",
                      "to": "now"
                    }
                  }
                },
                {
                  "terms": {
                    "result_type": [
                      "bucket",
                      "record",
                      "influencer"
                    ]
                  }
                }
              ]
            }
          },
          "aggs": {
            "five_minutes": {
              "filters": {
                "filters": {
                  "latest15minutes": {
                    "range": {
                      "@timestamp": {"gte": "now-15m", "lte": "now"}
                      
                    }
                    
                  },
                  "previous6days":{
                    "range": {
                      "@timestamp": {"gte": "now-6d", "lte": "now-15m"}
                    }
                    
                  }
                  
                }
                
              },
              "aggs": {
                "bylocation": {
                  "terms": {
                    "field": "location"
                    },
                    "aggs":{
                      "avgvalues": {
                        "avg": {
                          "field": "val"
                          
                        }
                        
                      }
                      
                    }
                }
                
              }
                
              }
              
            }
            
          }
          
        }
        
      }
  },
  "condition": {
    "script": {
      "inline": "return ctx.payload.aggregations.five_minutes.buckets.latest15minutes.avgvalues.value > 2 * ctx.payload.aggregations.five_minutes.buckets.previous6days.avgvalues.value"
      
    }
  },
  "actions": {
    "log": {
      "logging": {
        "level": "info",
        "text": "Alert for job [{{ctx.payload.aggregations.five_minutes.buckets.latest15minutes.avgvalues}}]"
      }
    }    
  }  
}  

Fixed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.