Watcher range query Problem


(Oleg Andreas Parschalk) #1

Hi Guys,

i have a problem with my watcher. I try to search for 500 nginx access response code error in the last 24h. But no results are found. And this is quite impossible. The Dashboard tells me i have 2000+ hits in the last 24h.

Here is my json text. I must say that i'm a newbie with json and Watcher.

{
  "trigger": {
    "schedule": {
      "interval": "10s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "filebeat*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "nginx.access.response_code": "500"
                  }
                },
                {
                  "range": {
                    "date": {
                      "gte": "now-1h/d",
                      "lt": "now/d"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "always": {}
  },
  "actions": {
    "send_email": {
      "throttle_period_in_millis": 300000,
      "email": {
        "profile": "standard",
        "attachments": {
          "attached_data": {
            "data": {
              "format": "json"
            }
          }
        },
        "priority": "high",
        "to": [
          "EMAILADRESS"
        ],
        "subject": "Encountered {{ctx.payload.hits.total}}  Response code 500 errors",
        "body": {
          "text": "Too many error in the system, see attached data"
        }
      }
    }
  },
  "metadata": {
    "color": "red"
  }
}

I read all the discussions here and i tried over and over again but with no results.

Thanks a lot!


(Alexander Reelsen) #2

Hey,

please share the output of the Execute Watch API for this watch, so we can take a look what happens!

Thanks!

--Alex


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.