I might have missed something in the doc, or just lack basic knowledge, but how could I define a watch to get alerted when one more document is indexed ?
I have an external system that triggers an "alert" by indexing one document in a special index in ES. Ideally the alarm should say "3 more alerts registered since last time I fired" (and I'll make it so that it fires often enough to have <10 new alerts every time).
Thanks a lot 
Hey,
you could execute a query in a search input, that contains a timestamp filter, so you could search for documents that have been inserted in the last 10 minutes? All you need to add is the insertion timestamp for each document that gets added to that special index.
I might have missed your requirement that forbids this though...
--Alex
Indeed, that makes perfect sense. I'll have a try (so far I'm still very inefficient writing queries).
Side note: I moved this over to the x-pack forum for now. Feel free to paste your watches when you run into more issues.
I managed to get exactly what I wanted 
PUT _watcher/watch/my_name
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": "my_index",
"types": "my_type",
"body": {
"query": {
"bool" : {
"must" : [
{
"range" : {
"upload_date" : {
"gte": "now-1m"
}
}
},
{
"term": {"field": "value"}
}
]
}
}
}
}
}
},
"condition": {
"compare" : {
"ctx.payload.hits.total" : {
"gte" : 1
}
}
},
"actions": {
"notify-slack" : {
"throttle_period" : "1m",
"slack" : {
"account": "monitoring",
"message" : {
"to" : [ "#general" ],
"text" : "{{ctx.payload.hits.total}} logs added."
}
}
}
}
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.