Watcher Rule

Elk_huh · August 1, 2022, 6:11pm

I want to do a universal Rule for if All indices fall below a certain threshold , then alert on specific index at question.

How do i specify the Index name in the Body of this watcher request ?

rashmi · August 1, 2022, 7:07pm

@Patrick_Mueller - any insights into this ? Does this help ?Create an index threshold rule | Kibana Guide [master] | Elastic

Thanks
Rashmi

richcollier · August 1, 2022, 7:13pm

If you are using Watcher, then you simply wildcard the index names like so:

...
   "input": {
      "search": {
        "request": {
          "indices": [
            "*"
          ],
...

Elk_huh · August 1, 2022, 7:19pm

Lets say we got index * ( indexa,indexb,indexc)

In the action --> i have SMTP how do i say indexA exceeded the threshold

Elk_huh · August 1, 2022, 7:19pm

Lets say we got index * ( indexa,indexb,indexc)

In the action --> i have SMTP how do i say indexA exceeded the threshold

Elk_huh · August 1, 2022, 7:20pm

I just need the index name in the output body

richcollier · August 1, 2022, 7:55pm

well, it's more complicated than that because you first have to aggregate the information on the index names, then individually evaluate each of them against your condition (in my example, the condition is if the index has less than 200 documents in the last day). Then, in the actions, you iterate through the result data structure again for formatting purposes. It would look something like this:

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1d"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": [
            "*"
          ],
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": [
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "now-1d"
                      }
                    }
                  }
                ]
              }
            },
            "aggs": {
              "all_indices": {
                "terms": {
                  "field": "_index",
                  "size": 10000
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "script": """
            for (def indices : ctx.payload.aggregations.all_indices.buckets) {
          	     if (indices.doc_count<200){
                    return true;
          	     }
            }
            """
    },
    "actions": {
      "log": {
        "transform": {
          "script": """
          	def records = new ArrayList();
          	for (def indices : ctx.payload.aggregations.all_indices.buckets) {
          	  def details = new HashMap();
          	     if (indices.doc_count<200){
                    details.put("index",indices.key);
                    details.put("doc_count",indices.doc_count);
                    records.add(details);
          	     }
            }
            return records;
          """
        },
        "logging": {
          "text": """
          Records:
          ==========
          {{#ctx.payload._value}}
          index "{{index}}" had only {{doc_count}} documents
          {{/ctx.payload._value}}
           """
        }
      }
    }
  }
}

In my system, the output looks like:

          Records:
          ==========
          index ".ds-synthetics-http-default-2022.07.27-000001" had only 24 documents
          index ".fleet-policies-leader-7" had only 3 documents
          index ".fleet-servers-7" had only 1 documents

Elk_huh · August 3, 2022, 7:44pm

So i should just do individual watchers for each index then ,

Thank you

system · August 31, 2022, 7:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.