Hi.
What I am trying to achieve is:
Use a search query to find all events where field status code = 400 OR 401 OR 403, AND field servicegroup is one of 6 options AND if the count of events is > 300 if it occurs on any status code and any servicegroup and an underlying endpoint for a given App over the past 30 minutes.
So f.i. we can have 500 events where status code = 401 for App ID 321 on servicegroup 'a' on endpoint 'xy' in the last 30 minutes.
Then based on the above conditional result, I would want to have an email action to include the results, and the email action can be triggered more than once.
Because it can happen that in 30 minutes interval, the watcher can be observed 2 or more times.
Example: 600 events where status code = 400 for app ID 123 on servicegroup 'a' on endpoint 'xy'. And as well 800 events where status code = 401 for app ID 456 on servicegroup 'b' on endpoint 'pq. Therefore 2 email actions would be required, each containing the details of each occurrence.
My query to search for status and servicegroup:
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"status": 401
},
"match_phrase": {
"status": 400
},
"match_phrase": {
"status": 403
}
}
]
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"servicegroup": "cs"
}
},
{
"match_phrase": {
"servicegroup": "atr"
}
},
{
"match_phrase": {
"servicegroup": "port"
}
},
{
"match_phrase": {
"servicegroup": "trade"
}
},
{
"match_phrase": {
"servicegroup": "cm"
}
},
{
"match_phrase": {
"servicegroup": "ens"
}
}
]
}
}
]
The aggregations:
"aggs": {
"status": {
"terms": {
"field": "status",
"size": 5,
"order": {
"_count": "desc"
}
},
"aggs": {
"appid": {
"terms": {
"field": "correlation.appid",
"size": 5,
"order": {
"_count": "desc"
}
},
"aggs": {
"servername": {
"terms": {
"field": "servername",
"size": 5,
"order": {
"_count": "desc"
}
}
},
"servicegroup": {
"terms": {
"field": "servicegroup",
"size": 5,
"order": {
"_count": "desc"
}
}
},
"endpoint": {
"terms": {
"field": "endpoint",
"size": 1,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
}
I have my condition set
"condition": {
"script": {
"source": """
if ( (ctx.payload.hits.total > 500) && (ctx.payload.aggregations.status.buckets.0.appid.buckets.0.doc_count > 300) ) { return true; }
""",
"lang": "painless"
}
}
And I am capturing the details in a table in my email action:
<b>Status 400 observed</b>
<table>
<tr>
<td><u>App ID</u></td>
<td><u>Event count</u></td>
<td><u>Top API endpoint</u></td>
</tr>
{{#ctx.payload.aggregations.status.buckets}}
{{#appid.buckets}}
<tr>
<td>{{key}}</td>
<td>{{doc_count}}</td>
<td>
<table>
{{#endpoint.buckets}}
<tr>
<td>{{key}} - {{doc_count}} events</td>
</tr>
{{/endpoint.buckets}}
</table>
</td>
</tr>
{{/appid.buckets}}
{{/ctx.payload.aggregations.status.buckets}}
</table>
Is the request feasible to capture in 1 watcher, or should it be spread over 3 different watchers based on primary condition of status code?
How can I set conditional email actions based on different base condition Status code? I.e. How do I set the action condition to look for ctx.payload.aggregations.status?
And how could I make a foreach loop in case in a 30 minute interval 2 different occurrences happen so that 2 different emails are sent?
Should I put a transform in between for this?
Hope it all makes sense and someone can help me out a bit 