Игорь, вот весь мой ватчер:
{
"trigger": {
"schedule": {
"interval": "3m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [ "weblog-*" ],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-1m",
"lte": "now"
}
}
}
],
"must_not": [
{
"query_string": {
"analyze_wildcard": true,
"fields": [
"http_host.keyword"
],
"query": "dev.domain.com"
}
}
]
}
},
"aggregations": {
"host": {
"terms": {
"field": "http_host.keyword",
"order": {
"max_req_time": "desc"
}
},
"aggregations": {
"max_req_time": {
"max": {
"field": "request_time"
}
},
"max_agg_pipe": {
"bucket_selector": {
"buckets_path": {
"max_req_time": "max_req_time"
},
"script": {
"lang": "expression",
"source": "max_req_time > 16"
}
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 50
}
}
},
"actions": {
"telegram": {
"webhook": {
"scheme": "http",
"host": "api.telegram.com",
"port": 81,
"method": "post",
"path": "/bot123456789:XXXXXXXX/sendMessage",
"params": {},
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "chat_id=-123456789&text=****Watcher**** %0A\nDate/Time: {{ctx.payload.human_date}}%0A\nWatcher name: {{ctx.metadata.name}}%0A\nHost: {{#ctx.payload.aggregations.host.buckets}}\n{{key}}\n%0ARequest Time (ms): {{max_req_time.value}}%0A\n{{/ctx.payload.aggregations.host.buckets}}\n"
}
}
},
"transform": {
"script": {
"source": "DateFormat dateFormat = new SimpleDateFormat(\"yyyy-MM-dd HH:mm:ss z\");dateFormat.setTimeZone(TimeZone.getTimeZone(\"Europe/Moscow\")); Date date = new Date(); ctx.execution_time = dateFormat.format(date); return ['human_date': ctx.execution_time, 'aggregations': ctx.payload.aggregations]",
"lang": "painless"
}
}
}