Watcher triggers when it shouldn't

Jeroen2 · November 23, 2020, 12:18pm

I've created some watchers to check if all communications are working in our company. This watcher should trigger when there's no hits in the pas hour.

The problem is it fires sometimes, when I run the exact same query it returns 700+ hits. Is there something wrong with this watcher, or can this happen because the hits (messages) are quite large?

ps: when I simulate the watcher, it always returns hits.

{
  "trigger": {
    "schedule": {
      "daily": {
        "at": [
          {
            "hour": [
              8,
              9,
              10,
              12,
              14,
              16,
              18,
              20,
              22,
              23
            ],
            "minute": [
              0,
              30
            ]
          }
        ]
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "_all"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "fields": [
                      "receiver"
                    ],
                    "analyzer": "standard",
                    "query": "stockservice"
                  }
                },
                {
                  "query_string": {
                    "fields": [
                      "document"
                    ],
                    "analyzer": "standard",
                    "query": "stock"
                  }
                },
                {
                  "range": {
                    "created_at": {
                      "gte": "now-1h",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "eq": 0
      }
    }
  },
  "actions": {
    "opsgenie": {
      "webhook": {
        "scheme": "https",
        "host": "api.opsgenie.com",
        "port": 443,
        "method": "post",
        "path": "/v1/json/eswatcher",
        "params": {
          "apiKey": "123456789"
        },
        "headers": {
          "Content-Type": "application/json"
        },
        "body": "{{#toJson}}ctx{{/toJson}}"
      }
    }
  }
}

afharo · November 23, 2020, 4:15pm

Hi @Jeroen2,

I've tested your watcher (with other actions) and it is working fine for me on 7.10.0: it triggered until I created a document matching that query

I think you could improve it by adding "size": 0 to the body so the request does not return the actual payload of the documents, but that should not affect your random firing.

One thing that surprised me, though is that you are running it for all the indices "indices": [ "_all" ], but looking for specific fields in the query. Again, not sure if that would affect much, but it personally feels a bit odd.

Does it mean you get this result in the simulation?

    "condition": {
      "type": "compare",
      "status": "success",
      "met": false,
      "compare": {
        "resolved_values": {
          "ctx.payload.hits.total": 700
        }
      }
    },

It claims the condition is "met": false in my case because I have 700 documents matching the query.

Jeroen2 · November 24, 2020, 9:58am

Hi afharo,

thanks for your reply. I changed the indices to the matching index and changed the body message to "size" : 0. I'll let you know if it helped.

Jeroen2 · December 1, 2020, 10:36am

Afharo's solutions solved my problem. I think the body contents of my request was too big. Thanks!

system · December 29, 2020, 10:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.