mpomery/watcher-lack_of_data.json

## watcher-lack_of_data.json
{
  "metadata": {
    "_NOTE_": "Alerts are sent if you fall below the thresholds. Set both to the same number if you only want critical messages",
    "WarningThreshold": 10,
    "CriticalThreshold": 5
  },
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "throttle_period": "58m",
  "input": {
    "search": {
      "request": {
        "indices": [
          "<logstash-{now/d{YYYY.MM.dd}}-index>",
          "<logstash-{now/d-1d{YYYY.MM.dd}}-index>"
        ],
        "body": {
          "query": {
            "bool": {
              "must": [
                { "match": { "field": "filter" } },
                { "range": { "@timestamp": { "gte": "now-5m", "lt": "now" } } }
              ]
            }
          },
          "aggs": {
            "count": {
              "cardinality": {
                "field": "FieldName"
              }
            },
            "objects": {
              "terms": {
                "field": "FieldName",
                "size": 0
              }
            }
          }
        }
      }
    }
  },
  "transform": {
    "script": "return ['servers': ctx.payload.aggregations.objects.buckets, 'count': ctx.payload.aggregations.count.value, 'alert_level': ctx.payload.aggregations.count.value < ctx.metadata.CriticalThreshold ? 'CRITICAL' : 'WARNING' ]"
  },
  "condition": {
    "compare" : { "ctx.payload.aggregations.count.value" : { "lt" : "{{ctx.metadata.WarningThreshold}}" } }
  },
  "actions": {
    "warning_alert" : {
      "condition": {
        "compare" : { "ctx.payload.count" : { "gte" : "{{ctx.metadata.CriticalThreshold}}" } }
      },
      "webhook": {
        "method": "POST",
        "host": "host",
        "port": port,
        "path": "path",
        "body": ""
      }
    },
    "critical_alert" : {
      "condition": {
        "compare" : { "ctx.payload.count" : { "lt" : "{{ctx.metadata.CriticalThreshold}}" } }
      },
      "webhook": {
        "method": "POST",
        "host": "host",
        "port": port,
        "path": "path",
        "body": ""
      }
    }
  }
}
	{
	"metadata": {
	"_NOTE_": "Alerts are sent if you fall below the thresholds. Set both to the same number if you only want critical messages",
	"WarningThreshold": 10,
	"CriticalThreshold": 5
	},
	"trigger": {
	"schedule": {
	"interval": "5m"
	}
	},
	"throttle_period": "58m",
	"input": {
	"search": {
	"request": {
	"indices": [
	"<logstash-{now/d{YYYY.MM.dd}}-index>",
	"<logstash-{now/d-1d{YYYY.MM.dd}}-index>"
	],
	"body": {
	"query": {
	"bool": {
	"must": [
	{ "match": { "field": "filter" } },
	{ "range": { "@timestamp": { "gte": "now-5m", "lt": "now" } } }
	]
	}
	},
	"aggs": {
	"count": {
	"cardinality": {
	"field": "FieldName"
	}
	},
	"objects": {
	"terms": {
	"field": "FieldName",
	"size": 0
	}
	}
	}
	}
	}
	}
	},
	"transform": {
	"script": "return ['servers': ctx.payload.aggregations.objects.buckets, 'count': ctx.payload.aggregations.count.value, 'alert_level': ctx.payload.aggregations.count.value < ctx.metadata.CriticalThreshold ? 'CRITICAL' : 'WARNING' ]"
	},
	"condition": {
	"compare" : { "ctx.payload.aggregations.count.value" : { "lt" : "{{ctx.metadata.WarningThreshold}}" } }
	},
	"actions": {
	"warning_alert" : {
	"condition": {
	"compare" : { "ctx.payload.count" : { "gte" : "{{ctx.metadata.CriticalThreshold}}" } }
	},
	"webhook": {
	"method": "POST",
	"host": "host",
	"port": port,
	"path": "path",
	"body": ""
	}
	},
	"critical_alert" : {
	"condition": {
	"compare" : { "ctx.payload.count" : { "lt" : "{{ctx.metadata.CriticalThreshold}}" } }
	},
	"webhook": {
	"method": "POST",
	"host": "host",
	"port": port,
	"path": "path",
	"body": ""
	}
	}
	}
	}