Watcher: The triggered_time is 2 hours behind the current time

Elastic Stack Elasticsearch
1

For Example:

image1
image11068×208 30.2 KB

Execution Output:

{
  "watch_id": "49b060ac-cf03-413d-b1d1-bc6b6d2ac2b7",
  "node": "Ukh-HUj2Ts28O82RcpmdiQ",
  "state": "execution_not_needed",
  "user": "user-1",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2019-04-16T08:13:07.407Z"
    },
    "last_checked": "2019-04-16T09:37:07.646Z",
    "actions": {},
    "execution_state": "execution_not_needed",
    "version": -1
  },
  "trigger_event": {
    "type": "schedule",
    "triggered_time": "2019-04-16T09:37:07.646Z",
    "schedule": {
      "scheduled_time": "2019-04-16T09:37:07.452Z"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logstash-*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-5m",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||epoch_millis"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.hits.total > params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 1000
      }
    }
  },
  "metadata": {
    "name": "test",
    "watcherui": {
      "trigger_interval_unit": "m",
      "agg_type": "count",
      "time_field": "@timestamp",
      "trigger_interval_size": 1,
      "term_size": 5,
      "time_window_unit": "m",
      "threshold_comparator": ">",
      "term_field": null,
      "index": [
        "logstash-*"
      ],
      "time_window_size": 5,
      "threshold": 1000,
      "agg_field": null
    },
    "xpack": {
      "type": "threshold"
    }
  },
  "result": {
    "execution_time": "2019-04-16T09:37:07.646Z",
    "execution_duration": 5,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 40,
          "failed": 0,
          "successful": 40,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 15,
          "max_score": 0
        },
        "took": 4,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "logstash-*"
          ],
          "types": [],
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": {
                  "range": {
                    "@timestamp": {
                      "gte": "2019-04-16T09:37:07.452Z||-5m",
                      "lte": "2019-04-16T09:37:07.452Z",
                      "format": "strict_date_optional_time||epoch_millis"
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "script",
      "status": "success",
      "met": false
    },
    "actions": []
  },
  "messages": []
}
2

I have the same issue. It is because watcher run at UTC time and you probably are in UTC+2. That's why you have 2 hours delay.

There is no solution for the moment i think, but a case is opened to add timezone configuration to watcher : https://github.com/elastic/elasticsearch/issues/34659

Thibaut

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.