Watcher triggers when it shouldn't

Elastic Stack Elasticsearch
1

I've created some watchers to check if all communications are working in our company. This watcher should trigger when there's no hits in the pas hour.

The problem is it fires sometimes, when I run the exact same query it returns 700+ hits. Is there something wrong with this watcher, or can this happen because the hits (messages) are quite large?

ps: when I simulate the watcher, it always returns hits.

{
  "trigger": {
    "schedule": {
      "daily": {
        "at": [
          {
            "hour": [
              8,
              9,
              10,
              12,
              14,
              16,
              18,
              20,
              22,
              23
            ],
            "minute": [
              0,
              30
            ]
          }
        ]
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "_all"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "fields": [
                      "receiver"
                    ],
                    "analyzer": "standard",
                    "query": "stockservice"
                  }
                },
                {
                  "query_string": {
                    "fields": [
                      "document"
                    ],
                    "analyzer": "standard",
                    "query": "stock"
                  }
                },
                {
                  "range": {
                    "created_at": {
                      "gte": "now-1h",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "eq": 0
      }
    }
  },
  "actions": {
    "opsgenie": {
      "webhook": {
        "scheme": "https",
        "host": "api.opsgenie.com",
        "port": 443,
        "method": "post",
        "path": "/v1/json/eswatcher",
        "params": {
          "apiKey": "123456789"
        },
        "headers": {
          "Content-Type": "application/json"
        },
        "body": "{{#toJson}}ctx{{/toJson}}"
      }
    }
  }
}
2

Hi @Jeroen2,

I've tested your watcher (with other actions) and it is working fine for me on 7.10.0: it triggered until I created a document matching that query :+1:

I think you could improve it by adding "size": 0 to the body so the request does not return the actual payload of the documents, but that should not affect your random firing.

One thing that surprised me, though is that you are running it for all the indices "indices": [ "_all" ], but looking for specific fields in the query. Again, not sure if that would affect much, but it personally feels a bit odd.

Does it mean you get this result in the simulation?

    "condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 700
        }
      }
    },

It claims the condition is "met": false in my case because I have 700 documents matching the query.

3

Hi afharo,

thanks for your reply. I changed the indices to the matching index and changed the body message to "size" : 0. I'll let you know if it helped.

1 Like
4

Afharo's solutions solved my problem. I think the body contents of my request was too big. Thanks!

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.