Watcher - show high-bytes by IP

Elastic Stack Elasticsearch
1

I was wondering if anyone may be able to lead me in the right direction...
I am setting up a Watcher alert that will compare a numeric field to see if it is greater than 10000 (example used in sample). And if it is then it will email that value and the IP address that is aligns with to a set email address.

I am running on version 5.6.2.

The issues I am running in to are that it will give ONLY 10 results and it seems like it ONLY compares to the 4th result.

This is a pastebin of my Watcher Input I am using. Email and IP have been removed.
https://pastebin.com/Fk4q0hbx

This is the result that I get from that input with my data. Again Email and IPs have been removed.
https://pastebin.com/fRexsM9c

On the results. Line 121 - Line 188 are the payload information that is being compared.
It compares to the "value": XXXXX and if true will then post the preceding "key": "IP ADDRESS" in the email.

However Line 250 shows only the 4th result information and the preceding action email is for only the 4th result.

Any information would be great!

2

So, I figured out a majority of the issues... It was figuring out that 10 was the default result size (dummy me)... Then the issue where it was only getting my 4th given result was because of the compare item it was hitting.

I guess my next question is there a way to do a Wildcard in the Condition field of a Watcher event?

My condition is:

  "condition": {
    "compare": {
      "ctx.payload.aggregations.2.buckets.*.3.value": {
        "gte": 10000000
      }
    }
  },

Where the * needs to be a wild card to hit result 0 - 9 (basically the 10 results given)...

Has anyone attempted this or have a thought in it?

3

I think the array compare condition is exactly what you are looking for.

--Alex

4

Thank you for the reply @spinscale .

I tried the array_compare and it looks like it may work! However, I am curious...

From what I can tell with the array_compare is that if ONE of the items in the array is true then it would list the comparison as true. Even for the items in the array that are not true....

This is what I have:

 "condition": {
    "array_compare": {
      "ctx.payload.aggregations.2.buckets": {
        "path": "3.value",
        "gte": {
          "value": "100000",
        }
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "**Email Address**"
        ],
        "subject": "Watcher Test Alert",
        "body": {
          "text": "The IP [{{#ctx.payload.aggregations.2.buckets}}{{key}} {{/ctx.payload.aggregations.2.buckets}}] spiked useage with [{{#ctx.payload.aggregations.2.buckets}}{{3.value}} {{/ctx.payload.aggregations.2.buckets}}]"
        }
      }
    }
  }

In the simulation results under the comparison it shows each of the 10 items I am trying to compare and see if it is greater than 100000. My guess is that because one of them meets the requirements it lists all of them... However, I only want the ones that met it to be listed.

Do you know of a way for that?

5

You are right.

the condition is only about returning true or false in order to continue to the actions. If you only want to process the buckets exceeding a certain threshold, you need to have another transform in the action and prepare your data there as needed.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.