Watcher results returning similar terms instead of specific one

prodrg · June 30, 2017, 3:37pm

I have the following watch

{
  "trigger" : {
    "schedule" : {
      "interval" : "5m"
    }
  },
  "input" : {
    "search" : {
      "request" : {
        "search_type": "query_then_fetch",
        "indices" : [ "<logstash-{now/d}>"],
        "types" : [ "alerts" ],
        "body" : {
          "sort" : {
            "@timestamp" : {"order" : "desc"}
          },
          "query" : {
            "bool" : {
              "must": {
                "match": {
                  "name": "Info/Alert.A"
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-5m"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : {
      "ctx.payload.hits.total" : {
        "gt" : 0
      }
    }
  },
  "actions" : {
    "notify-slack" : {
      "throttle_period" : "5m",
      "slack" : {
        "account" : "alert",
        "message" : {
          "to" : [ "#watcher-alert" ],
          "text" : "There is an alert!"
        }
      }
    }
  }
}

The watch works, but checking the watcher history, it returns results similar to the term I want to match ("Info/Alert.A"), for example, "Info/Failure!4r" o "Info/Heavy.Root". Why can this be happening or which approach can I take (how can I use wildcards on a Watcher query)?

spinscale · June 30, 2017, 3:58pm

Hey,

this is not a watcher issue, but an issue with your query. When you are using a match query, the terms get split and analyzed so that your query is not an exact match anymore, when you are querying an analyzed field.

If this is on Elasticsearch 5.x, you could try to query the field name.keyword (or name.raw, depends on your mapping) and see if that works instead.

Generally, it is useful to not write your watch first, but test your query, before you copy and paste it into a watch.

You might want to take some time and read this blog post, which explains how to debug watches https://www.elastic.co/blog/watching-the-watches-writing-debugging-and-testing-watches

--Alex

prodrg · June 30, 2017, 4:19pm

Thanks @spinscale, I will try with that, then. Really thanks for the resource, will be helpful.

I have another question though. I am testing it on Kibana with keyword ("name.keyword": "Info/Alert.A"), which is working, but on the search, the slash isn't being highlighted on the results. Does this affects the query?

spinscale · June 30, 2017, 4:33pm

Not sure i understand that "highlighting" part, but I that feels just like a display issue, and not like a search issue. If the search returns the document that you expect all should be fine.

Feel free to elaborate on that highlighting thing, though!

prodrg · June 30, 2017, 4:50pm

Sure! Sometimes, when you do a search on Kibana (let's say, you put a word you want to look on the entries), the obtained results are shown. So, the word you queried is highlighted in orange on each entry. But it seems this is part of Kibana instead of the query in general.

spinscale · July 2, 2017, 1:39pm

ah, got it. Thats indeed a kibana feature, you can ignore it for watcher.

system · July 30, 2017, 1:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.