X-Pack Watcher -- adding additional fields

anhlon · June 8, 2018, 12:25am

Hi,

I am trying to setup a Watcher to send alerts to Slack when a service is down for the last minute. What I currently have is heartbeat collecting http ping data and sending it to Elasticsearch and all is well.

I have setup an alert that is being sent to slack, some with data. It is currently sending;

// foo@http://foo:1234/healthz
// Total failure in the last minute: 5

which is a little uninformative. I would like to add "resolve.ip" and "error.message" to it.

// foo@http://foo:1234/healthz on host
// Error:

question is, do i add more a sub-aggregate?

  "aggs": {
    "bucketAgg": {
      "terms": {
        "field": "monitor.id",
        "size": 50,
        "order": {
          "metricAgg": "desc"
        }
      },
      "aggs": {
        "metricAgg": {
          "terms": {
            "field": "error.message"
          }
        }
      }
    }
  }

are there any docs or example that i can refer to?

Thanks,

baz · June 20, 2018, 5:07pm

Hi, terribly sorry for the late response.

The short answer is there are a few ways you could do this.

you could use more terms aggregations in like you mentioned.
you could nest a top_hits aggregation as well, and pick the values you want.
you could use a watcher transform which is a step executed right before any actions are taken, and this will allow you to modify your search to include the values from another search.

Thanks,
Baz.

system · July 18, 2018, 5:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.