Watcher take in account different queries

victor.nilsson · September 13, 2019, 8:25am

Hi,

We have an index "Server-Index" where we sometimes get a string indexed with the contents "foo". A few seconds later some other messages will get indexed as well that is tied to the "foo" string above. What we want to do is to trigger if "foo" appears and then aggregate the nextcoming messages that are related to the "foo" string for 5 minutes. Is this possible?

For example:

12:00 we receive a message containing "foo" <- Now we know something bad has happened and in a few seconds we will receive more messages that are related to the first message "foo".
12:01 2 message arrive which contain more information
12:02 4 more messages arrive which contain more information
12:05 we send an alert containing the "foo" string along with all the information provided in the messages receivied thereafter.

Is this possible, if so, what should i be looking at?

Thanks

victor.nilsson · September 13, 2019, 9:42am

I have tried to use chain inputs but i cannot seem to get it quite right. I have come up with the following:

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "chain" : {
       "inputs" : [
           {
            "first": {
            "search": {
                "request": {
                "search_type": "query_then_fetch",
                "indices": [
                "logstash-server-*"
                ],
                "types": [],
                "body": {
                "size": 0,
                "query": {
                "bool": {
                    "filter": [
                    {
                        "range": {
                        "@timestamp": {
                        "from": "now-24h",
                        "to": "now"
                    }
                    }
                    },
                    {
                        "search": {
                        "message": "'vSphere HA detected a possible host failure of host'"
                    }
                    }
                    ]
                }
                }
                }
                }
                }
                },
                "second" : {
                    "search" : {
                        "message" : "'Virtual machine'"
                    }
                
            }
            }
            ]
          }
    },
  "condition": {
    "always": {}
  },
  "actions": {
    "email_admin": {
      "email": {
        "profile": "standard",
        "to": [
          "user@example.com"
        ],
        "subject": "Host-Restart-Test",
        "body": {
          "text": ""
        }
      }
    }
  }
}

When i run the code above i get the following error:

[parse_exception] Expected closing JSON object after parsing input [search] named [first] in watch [inlined]

What seems to be the issue?

spinscale · September 16, 2019, 1:23pm

Hey,

while this might be possible with watcher and some advanced queries, I think the functionality you should take a closer look at, are data frames as this allows you to summarize your data, even in a streaming fashion.

--Alex

system · October 14, 2019, 1:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.