X-Pack Watcher -- adding additional fields

Elastic Stack Elasticsearch
1

Hi,

I am trying to setup a Watcher to send alerts to Slack when a service is down for the last minute. What I currently have is heartbeat collecting http ping data and sending it to Elasticsearch and all is well.

I have setup an alert that is being sent to slack, some with data. It is currently sending;

// foo@http://foo:1234/healthz
// Total failure in the last minute: 5

which is a little uninformative. I would like to add "resolve.ip" and "error.message" to it.

// foo@http://foo:1234/healthz on host
// Error:

question is, do i add more a sub-aggregate?

  "aggs": {
    "bucketAgg": {
      "terms": {
        "field": "monitor.id",
        "size": 50,
        "order": {
          "metricAgg": "desc"
        }
      },
      "aggs": {
        "metricAgg": {
          "terms": {
            "field": "error.message"
          }
        }
      }
    }
  }

are there any docs or example that i can refer to?

Thanks,

2

Hi, terribly sorry for the late response.

The short answer is there are a few ways you could do this.

  1. you could use more terms aggregations in like you mentioned.

  2. you could nest a top_hits aggregation as well, and pick the values you want.

  3. you could use a watcher transform which is a step executed right before any actions are taken, and this will allow you to modify your search to include the values from another search.

Thanks,
Baz.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.