Hello. I have been trying to write a Watcher that looks for specific conditions in data and then send out an email, but it doesn't work. I have managed to shrink the Watcher down to a bare minimum and have found out that my filter range expression using time does not work. When I run the Watcher in the simulation the Watcher does not fire.
The line that is not working is
{
"range": {
"doc['@timestamp'].date.millisOfDay": {
"gte": 0,
"lte": 21870000
}
}
}
Basically the filter range statement should return any documents where the timestamp is between midnight and 6:45 UTC. I don't know why it is not working!
The Watcher interval is 30 minutes and the range of data being looked at is 7 days for debugging purposes.
We are using Elastic Cloud version 7.8
Complete watcher code
{
"trigger": {
"schedule": {
"interval": "30m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-7d",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
},
{
"range": {
"doc['@timestamp'].date.millisOfDay": {
"gte": 0,
"lte": 21870000
}
}
}
]
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "almqueue",
"size": "1",
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"max": {
"field": "almqueue"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value > params.threshold) { return true; } } return false;",
"lang": "painless",
"params": {
"threshold": 2300
}
}
},
"actions": {
"email_1": {
"email": {
"profile": "standard",
"to": [
"ajazam@company.com"
],
"subject": "Watch [{{ctx.metadata.name}}] for time 04:45 - 06:45 has exceeded alarm threshold of 2300"
}
}
}
}