Watcher: same query two different ranges (times)

yago82 · October 19, 2022, 10:11am

Hi,
it's possible to create a watcher with a single query on two different times?

Ex. If a certain threshold is exceeded between 10-11 and 11-12 and so on. So the alert would trigger only if the two conditions are met

Thanks
Regards

richcollier · October 20, 2022, 2:43am

Gosh, there are many ways this could be solved.

You could use a input chain to make multiple queries (one for time range X and the other for time range Y) and then inspect the results of each. Here's an example that uses 3 inputs.

gist.github.com

https://gist.github.com/richcollier/13e245c1c8c8cfc38ecb12e324ce301e

combine_anomaly_scores.json

#chained watch for combinine anomaly scores across jobs
POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1m"
      }
    },
    "metadata": {

This file has been truncated. show original

The time frames are the same in this example (but could differ)

Alternatively, you could do a single query over a time range, but then do a date_histogram aggregation on that query to break the time ranges up into chunks, aggregate the data in some way within those chunks, and then inspect the data in each sub aggregation. An example (albeit a little complex) can be seen here:

gist.github.com

https://gist.github.com/richcollier/31e4de8773d6f9183a6cf4799836b8e0

alert_on_three_consecutive_anomalies.txt

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1440m"
      }
    },
    "input": {
      "search": {

This file has been truncated. show original

system · November 17, 2022, 2:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.