X-Pack Watcher Duplicate Slack Notifications

ddregalo · June 15, 2018, 11:33am

Hi, I have set up a watcher to check "monitor.status": "down" with a condition of "ctx.payload.hits.total" : { "gt": 0 } and throttle_period of 30 minutes (inside the actions) for a "notify-slack" action.

This works fine (watch sends slack notification every 30 mins) but I would like to know if there is a way NOT to send the slack notification if the error (same url monitor.status is down) even when the throttle-period expires...basically only send a particular error message ONCE and not repeatedly every 30 mins. I've looked at ACK Watch API but can't figure out how to implement this in my Watch JSON syntax (kibana).

Any help would be greatly appreciated!

Daniel

spinscale · June 22, 2018, 2:09pm

Hey,

you cannot ack a watch while it is running. What you could do as a work around though, is to query the watch history index using a chained input, get the last x hits from the last n minutes, and check if the condition was met earlier. If it was always met, then return false in the condition.

Hope this helps!

--Alex

ddregalo · June 25, 2018, 11:11am

Thanks for the help Alex! Really appreciate your time and having a blast working with elasticsearch watchers

Cheers,
Daniel

system · July 23, 2018, 11:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.