Watcher that counts the documents that arrive to an index in kibana

stephenb · April 23, 2021, 11:34pm

found it!!! You beat me... that is because the aggregation is not inside the "hits" we need to be explicit with the field name

In the condition.

  "condition": {
    "compare": {
      "ctx.payload.aggregations.heartbeat_count.value": {
        "gte": 1000
      }
    }
  }

And Action should be

  "actions": {
    "notify-slack": {
      "slack": {
        "message": {
          "to": [
            "#stephenb-es-integration"
          ],
          "text": "Encountered  {{ctx.payload.aggregations.heartbeat_count.value}} heartbeats in the last 1 day (facepalm)"
        }
      }
    }
  }
}

I will fix above!

Results

{
  "watch_id": "_inlined_",
  "node": "6FBy_sIiSGONVnQZ5O8GkA",
  "state": "executed",
  "user": "elastic",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2021-04-23T23:35:37.938Z"
    },
    "last_checked": "2021-04-23T23:35:37.938Z",
    "last_met_condition": "2021-04-23T23:35:37.938Z",
    "actions": {
      "notify-slack": {
        "ack": {
          "timestamp": "2021-04-23T23:35:37.938Z",
          "state": "ackable"
        },
        "last_execution": {
          "timestamp": "2021-04-23T23:35:37.938Z",
          "successful": true
        },
        "last_successful_execution": {
          "timestamp": "2021-04-23T23:35:37.938Z",
          "successful": true
        }
      }
    },
    "execution_state": "executed",
    "version": -1
  },
  "trigger_event": {
    "type": "manual",
    "triggered_time": "2021-04-23T23:35:37.938Z",
    "manual": {
      "schedule": {
        "scheduled_time": "2021-04-23T23:35:37.938Z"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1d/d",
                      "lt": "now/d"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "heartbeat_count": {
              "value_count": {
                "field": "_index"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.aggregations.heartbeat_count.value": {
        "gte": 1000
      }
    }
  },
  "metadata": {
    "name": "test-heartbeat-watcher",
    "xpack": {
      "type": "json"
    }
  },
  "result": {
    "execution_time": "2021-04-23T23:35:37.938Z",
    "execution_duration": 262,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 11,
          "failed": 0,
          "successful": 11,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 10000,
          "max_score": null
        },
        "took": 14,
        "timed_out": false,
        "aggregations": {
          "heartbeat_count": {
            "value": 60474
          }
        }
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "heartbeat-*"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": [
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "now-1d/d",
                        "lt": "now/d"
                      }
                    }
                  }
                ]
              }
            },
            "aggs": {
              "heartbeat_count": {
                "value_count": {
                  "field": "_index"
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "compare",
      "status": "success",
      "met": true,
      "compare": {
        "resolved_values": {
          "ctx.payload.aggregations.heartbeat_count.value": 60474
        }
      }
    },
    "actions": [
      {
        "id": "notify-slack",
        "type": "slack",
        "status": "success",
        "slack": {
          "account": "monitoring",
          "sent_messages": [
            {
              "status": "success",
              "to": "#stephenb-es-integration",
              "message": {
                "from": "x-pack",
                "icon": "http://example.com/images/watcher-icon.jpg",
                "text": "Encountered  60474 heartbeats in the last 1 day (facepalm)"
              }
            }
          ]
        }
      }
    ]
  },
  "messages": []
}

Juan_David_Jaramillo · April 23, 2021, 11:35pm

but it doesn't show up in the mail action

stephenb · April 23, 2021, 11:36pm

It does... go back and go slow... mine just showed up in slack.

Do the simulate and force the action...

Show me your email action again.

Juan_David_Jaramillo · April 23, 2021, 11:36pm

"actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__64096482-0d81-43e6-abba-947a6aa2cc67-2021-04-23T23:36:17.648901Z_26879",
            "sent_date": "2021-04-23T23:36:17.658797Z",
            "to": [
              "victor.vera@megadvantage.com",
              "juan.jaramillo@megadvantage.com",
              "andres.molinac.pr@etb.com.co",
              "juan.ariasp1.pr@etb.com.co"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Estado herramienta monitoreo",
            "body": {
              "text": "Buen dia, \n\n ⚠La herramienta de monitoreo a funcionado correctamente en las ultimas  24 horas  \n \n Estado: UP🟢 \n\n 🕧Hora: 2021-04-23 18:36:17  \n\n Área: Networking \n \n🔔Mensaje Alerta: Por favor no responder a este mensaje \n\n "
            }
          }
        }
      }
    ]
  },
  "messages": []
}

Juan_David_Jaramillo · April 23, 2021, 11:37pm

this is the action:

"actions": {
    "email_1": {
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          "victor.vera@megadvantage.com",
          "juan.jaramillo@megadvantage.com",
          "andres.molinac.pr@etb.com.co",
          "juan.ariasp1.pr@etb.com.co"
        ],
        "bcc": [
          "juancho.jaramillo16@gmail.com"
        ],
        "subject": "{{ctx.metadata.name}}",
        "body": {
          "text": """Buen dia, 

 ⚠La herramienta de monitoreo a funcionado correctamente en las ultimas  24 horas  {{ctx.payload.aggregations.heartbeat_count.value}}
 
 Estado: UP🟢 

 🕧Hora: {{ctx.payload.time_triggered}}  {{ctx.result.execution_time}}

 Área: Networking 
 
🔔Mensaje Alerta: Por favor no responder a este mensaje 

 """
        }
      }
    }
  },

Juan_David_Jaramillo · April 23, 2021, 11:39pm

does not show it in the mail:

 "actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__48c2b07b-4996-4d22-9cfe-34bac4cd8ac3-2021-04-23T23:38:30.195799Z_26880",
            "sent_date": "2021-04-23T23:38:30.205315Z",
            "to": [
              "victor.vera@megadvantage.com",
              "juan.jaramillo@megadvantage.com",
              "andres.molinac.pr@etb.com.co",
              "juan.ariasp1.pr@etb.com.co"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Estado herramienta monitoreo",
            "body": {
              "text": "Buen dia, \n\n ⚠La herramienta de monitoreo a funcionado correctamente en las ultimas  24 horas  \n \n Estado: UP🟢 \n\n 🕧Hora: 2021-04-23 18:38:30  \n\n Área: Networking \n \n🔔Mensaje Alerta: Por favor no responder a este mensaje \n\n "
            }
          }
        }
      }
    ]
  },
  "messages": []
}

stephenb · April 23, 2021, 11:39pm

can you test a simple body without all the punctuation first like

"text": "Encountered {{ctx.payload.aggregations.heartbeat_count.value}} heartbeats in the last 1 day"

Juan_David_Jaramillo · April 23, 2021, 11:40pm

Like this?

 "actions": {
    "email_1": {
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          "victor.vera@megadvantage.com",
          "juan.jaramillo@megadvantage.com",
          "andres.molinac.pr@etb.com.co",
          "juan.ariasp1.pr@etb.com.co"
        ],
        "bcc": [
          "juancho.jaramillo16@gmail.com"
        ],
        "subject": "{{ctx.metadata.name}}",
        "body": {
          "text":  "Encountered {{ctx.payload.aggregations.heartbeat_count.value}} heartbeats in the last 1 day"
        }
      }
    }
  },

stephenb · April 23, 2021, 11:42pm

I just sent your text to slack looks like this and I see the number

Buen dia,
La herramienta de monitoreo a funcionado correctamente en las ultimas 24 horas 60474

Estado: UP:large_green_circle:
Hora:
Área: Networking

Mensaje Alerta: Por favor no responder a este mensaje

Juan_David_Jaramillo · April 23, 2021, 11:43pm

no good, nothing appears

 "actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__86e47b0a-e497-41e0-83bf-ff852ce4346b-2021-04-23T23:41:10.833199Z_26881",
            "sent_date": "2021-04-23T23:41:10.845017Z",
            "to": [
              "victor.vera@megadvantage.com",
              "juan.jaramillo@megadvantage.com",
              "andres.molinac.pr@etb.com.co",
              "juan.ariasp1.pr@etb.com.co"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Estado herramienta monitoreo",
            "body": {
              "text": "Encountered  heartbeats in the last 1 day"
            }
          }
        }
      }
    ]
  },
  "messages": []
}

Juan_David_Jaramillo · April 23, 2021, 11:44pm

what error is it? it doesn't work for me

stephenb · April 23, 2021, 11:44pm

Something else is going on let me look close

My Slack

Juan_David_Jaramillo · April 23, 2021, 11:45pm

I am sending you the whole code for your review:

{
  "trigger": {
    "schedule": {
      "daily": {
        "at": [
          "14:00"
        ]
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1d/d",
                      "lt": "now/d"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "heartbeat_count": {
              "value_count": {
                "field": "_index"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.aggregations.heartbeat_count.value": {
        "gte": 1000
      }
    }
  },
  "actions": {
    "email_1": {
      "email": {
        "profile": "standard",
        "attach_data": {
          "format": "yaml"
        },
        "to": [
          "victor.vera@megadvantage.com",
          "juan.jaramillo@megadvantage.com",
          "andres.molinac.pr@etb.com.co",
          "juan.ariasp1.pr@etb.com.co"
        ],
        "bcc": [
          "juancho.jaramillo16@gmail.com"
        ],
        "subject": "{{ctx.metadata.name}}",
        "body": {
          "text":  "Encountered {{ctx.payload.aggregations.heartbeat_count.value}} heartbeats in the last 1 day"
        }
      }
    }
  },
  "transform": {
    "script": {
      "source": "return [ 'time_triggered': Instant.ofEpochMilli(ctx.trigger.triggered_time.getMillis()).atZone(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')) ];",
      "lang": "painless"
    }
  }
}

stephenb · April 23, 2021, 11:58pm

To Test

  "trigger": {
    "schedule": {
      "interval": "15s"
    }
  },

To test take out that transform script at the bottom can try that later.

,
  "transform": {
    "script": {
      "source": "return [ 'time_triggered': Instant.ofEpochMilli(ctx.trigger.triggered_time.getMillis()).atZone(ZoneId.of('America/Bogota')).format(DateTimeFormatter.ofPattern('YYYY-MM-dd HH:mm:ss')) ];",
      "lang": "painless"
    }
  }

so just try this (put the simple email back in).
Email just to you (are you spamming your friends )

 {
  "trigger": {
    "schedule": {
      "interval": "15s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1d/d",
                      "lt": "now/d"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "heartbeat_count": {
              "value_count": {
                "field": "_index"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.aggregations.heartbeat_count.value": {
        "gte": 1000
      }
    }
  },
  "actions": {
    "notify-slack": {
      "slack": {
        "message": {
          "to": [
            "#stephenb-es-integration"
          ],
          "text": "{{ctx.metadata.name}} : Encountered {{ctx.payload.aggregations.heartbeat_count.value}} heartbeats in the last 1 day"
        }
      }
    }
  }
}

My output

[4:58]
test-heartbeat-watcher : Encountered 60474 heartbeats in the last 1 day

[4:58]
test-heartbeat-watcher : Encountered 60474 heartbeats in the last 1 day

[4:58]
test-heartbeat-watcher : Encountered 60474 heartbeats in the last 1 day

[4:59]
test-heartbeat-watcher : Encountered 60474 heartbeats in the last 1 day

@Juan_David_Jaramillo I need to step out for a bit... you are close....

Juan_David_Jaramillo · April 24, 2021, 12:05am

Thank you, it was indeed because of the script that I did not get it.
But now I have a problem, I can't use the script?

"actions": [
      {
        "id": "email_1",
        "type": "email",
        "status": "simulated",
        "email": {
          "message": {
            "id": "email_1__inlined__bf91ec99-e03d-4917-8f25-483335fc9da2-2021-04-24T00:04:05.187357Z_26886",
            "sent_date": "2021-04-24T00:04:05.201541Z",
            "to": [
              "victor.vera@megadvantage.com",
              "juan.jaramillo@megadvantage.com"
            ],
            "bcc": [
              "juancho.jaramillo16@gmail.com"
            ],
            "subject": "Estado herramienta monitoreo",
            "body": {
              "text": "Buen dia, \n\n ⚠La herramienta de monitoreo a funcionado correctamente en las ultimas  24 horas  \n \n there are 82076 documents in your index. Threshold is 1000.\n \n Estado: UP🟢 \n\n 🕧Hora:   \n\n Área: Networking \n \n🔔Mensaje Alerta: Por favor no responder a este mensaje \n\n "
            }
          }
        }
      }
    ]
  },

stephenb · April 24, 2021, 12:07am

Yay !

The Script... Perhaps.... Probably and error in the script.... Perhaps I can take a look later.

What are you actually trying to do with the script?

Are You just trying to display the triggered time in the correct time zone?

Juan_David_Jaramillo · April 24, 2021, 12:08am

yes,I need to display the actual time in my time zone.

stephenb · April 24, 2021, 12:16am

Yes OK... I am sure we can figure that out.

Someone with painless might be faster... so perhaps a new thread..

Or I will take a look later...

Juan_David_Jaramillo · April 24, 2021, 12:18am

ok, thanks, if it is important too, I need the real time because elasticsearch gives the wrong time, that's why I need the script.

stephenb · April 24, 2021, 12:20am

Understood... it will be easy once we know the "Encantamiento mágico"

Topic		Replies	Views
Need help with watcher Elasticsearch elastic-stack-alerting	2	346	June 7, 2021
Watcher not firing Kibana elastic-stack-alerting	2	408	July 27, 2021
Email notification with source details Elasticsearch elastic-stack-alerting	4	628	May 30, 2018
Watcher does not show results in the mail message Elasticsearch elastic-stack-alerting	3	625	May 24, 2021
How to send logs by watchers action Kibana elastic-stack-alerting	2	385	June 18, 2021

Watcher that counts the documents that arrive to an index in kibana

Related topics