Is it possible to receive notifications from ES watcher based on the number of events?

K

Ka4a2016-07-22 14:56:49

elasticsearch

Ka4a, 2016-07-22 14:56:49

Hello. I'm starting to deal with watcher for es and now I have a problem. Now I made it so that I would receive a message in the mail that a message appeared in indices, and I want to make it so that if 20 messages (error from nginx) arrive there, send me a message by mail. I can't figure out how to do this. My indis uses timestamp. The skeleton found a similar one, but I can’t even catch up on how to do it right.

PUT _watcher/watch/balancer_mail
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": [ "balancer-*" ],
        "body": {
          "query": {
            "filtered": {
              "query": {
                "match_phrase": {"message": "my_event_to_match"}
              },
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-25m"
                        }
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions" : {
    "send_email" : {
      "email" : {
        "to" : "[email protected] ",
        "subject" : "my_event_to_match Warning from Watcher",
        "body" : "my_event_to_match MESSAGE: Please see attached",
        "attach_data" : true
}
}
}

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

Ka4a, 2016-12-16
@ka4a

It is possible but it is paid. There is a free Elastalert solution.