WebHook actions for each Hit in watcher

alerting

(Eng.Sabbath) #1

Hi
i'm new in programming Watchers , and i'm trying to make a watcher to take action each 10 seconds and send a message via webhook for each Hit . but i couldn't , here is my code , in this code i dont have one action for each HIT:

   {
  "trigger": {
    "schedule": {
      "interval": "10s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logstash-*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "from": "now-10s",
                      "to": "now"
                    }
                  }
                },
                {
                  "term": {
                    "source.keyword": "sth1"
                  }
                }
              ]
            }
          },
          "aggs": {
            "time": {
              "terms": {
                "field": "sth2"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "my_webhook": {
      "webhook": {
        "scheme": "https",
        "host": "***",
        "port": ***,
        "method": "post",
        "path": "***",
        "params": {
          "text": "{{#ctx.payload.aggregations.time.buckets}}{{key}}{{/ctx.payload.aggregations.time.buckets}}"
        },
        "headers": {},
        "body": "text=**"
      }
    }
  }
}

i have to use Transform ?
thanks


(Alexander Reelsen) #2

Hey,

every action is only executed once inside a watch. You could however use logstash in combination with the http input to trigger an own event for each hit on the logstash side and sent only a single event containing all the data over to logstash.

--Alex


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.