Watcher with different thresholds

Elastic Observability
1

hi
im trying to figure up if I've the ability to alert different thresholds in same watcher task .
i have index that's contains some different devices with numer of events
i want to create watcher that will have different threshold per device (i need about 6-7 different threshold.. for example eqp1 will have threshold X and eqp2 will have threshold y and so on..

watcher
watcher1937×659 140 KB

current json watcher

PUT _watcher/watch/dbfae395-2733-4e46-82ba-b80d12d08ae3
{
  "trigger": {
    "schedule": {
      "interval": "1h"
    }
  },
  "input": {
    "search": {
      "request": {
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-1h",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||epoch_millis"
                  }
                }
              }
            }
          },
          "aggs": {
            "bucketAgg": {
              "terms": {
                "field": "model.keyword",
                "size": "10",
                "order": {
                  "metricAgg": "desc"
                }
              },
              "aggs": {
                "metricAgg": {
                  "max": {
                    "field": "num_of_events"
                  }
                }
              }
            }
          }
        },
        "indices": [
          "acs_device_event*"
        ]
      }
    }
  },
  "condition": {
    "script": {
      "source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i]['metricAgg'].value > params.threshold) { return true; } } return false;",
      "params": {
        "threshold": 20000
      }
    }
  },
  "transform": {
    "script": {
      "source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = arr[i]['metricAgg'].value; if (filteredHit.value > params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
      "params": {
        "threshold": 20000
      }
    }
  },
  "actions": {
    "webhook_1": {
      "webhook": {
        "host": "XXXXXX",
        "port": XXXXXX,
        "method": "post",
        "scheme": "http",
        "body": "{\n  \"message\": \"Watch [{{ctx.metadata.name}}] to many events on acs  has exceeded the threshold of 20K\"\n}"
      }
    }
  }
}

is it possible ?
thank you

2

Hi,

In your script, you can add a condition for each device and set a different threshold for each one. Here's an example of how you can modify your script to add different thresholds for different devices:

"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i].key == 'eqp1' && arr[i]['metricAgg'].value > params.threshold_eqp1) { return true; } else if (arr[i].key == 'eqp2' && arr[i]['metricAgg'].value > params.threshold_eqp2) { return true; } } return false;",
"params": {
  "threshold_eqp1": 20000,
  "threshold_eqp2": 30000
}

In this example, 'eqp1' has a threshold of 20,000 and 'eqp2' has a threshold of 30,000. You can add more conditions for more devices as needed.

Remember to also modify your transform script to include these different thresholds.

Please note that this is a simple example and might need to be adjusted based on your exact requirements and data structure.

3

I will try that ..
Thank you very mush