Watchers Offenders limited to 10?

Hi all,

I have written a watcher that grabs all the host_ids that have sent logs in the past 5minutes. and sends them to a webhook.

I can see from doing a query in Kibana that there are ~20 or so in a 5minute period.

However, when the watcher sends the webhook it is only sending the top 10 ids, obviously this is capped somewhere to be the top 10.

Any ideas how to adapt my watcher so that it sends ALL the device_ids? Is it a setting inside here, or a global setting like the size on the aggregation setting?

Bear in mind that this number could reach 10000+ in the future.

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "tid.*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-{{ctx.metadata.window_period}}"
                    }
                  }
                },
                {
                  "exists": {
                    "field": "device_id"
                  }
                }
              ]
            }
          },
          "aggs": {
            "device_id": {
              "terms": {
                "field": "device_id"
              },
              "aggs": {
                "events": {
                  "top_hits": {
                    "size": 1,
                    "_source": [
                      "device_id"
                    ]
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": """        
      def offenders = [];      
        for (def device_id: ctx.payload.aggregations.device_id.buckets) {      
          if (device_id.doc_count >= 1) {                
           offenders.add([              
            'device_id': device_id.key,      
            'execution_time' : ctx.trigger.triggered_time 
           ]);    
         }    
        }
      ctx.payload.offenders = offenders;
      return offenders.size() > 0;""",
      "lang": "painless"
    }
  },
  "actions": { Webook here }
        },
        "body": "{{#toJson}}ctx.payload.offenders{{/toJson}}"
      }
    }
  },
  "metadata": {
    "window_period": "5m"
  },
  "throttle_period_in_millis": 120000
}

Hello Jason,

I think you'd want to add a size parameter to your aggregation (it defaults to 10). You can modify it using the advanced watch editor.

Regards,
Aaron

Hi Aaron!

Thank you, I had the "size" on the wrong aggregation.

Is there a limit to the size that you know of?

Jason

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.