Skip to content

Instantly share code, notes, and snippets.

@richcollier

richcollier/detect_missing_data.txt

Last active February 18, 2023 18:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save richcollier/32d291d9b960d903864113a211dbbb23 to your computer and use it in GitHub Desktop.
Save richcollier/32d291d9b960d903864113a211dbbb23 to your computer and use it in GitHub Desktop.
Download ZIP
List of indices that were getting data 2 days ago, but not in the last 1 day
Raw
detect_missing_data.txt
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "1d"
}
},
"metadata": {
"longer_time": "2d/d",
"shorter_time": "1d/d"
},
"input": {
"search": {
"request": {
"indices": [
"al*", "stir*"
],
"body": {
"size": 0,
"aggs": {
"indices": {
"terms": {
"field": "_index",
"size": 1000
},
"aggs": {
"older": {
"filter": {
"query_string": {
"default_field": "@timestamp",
"query": "@timestamp:[now-{{ctx.metadata.longer_time}} TO now-{{ctx.metadata.shorter_time}}]"
}
}
},
"newer": {
"filter": {
"query_string": {
"default_field": "@timestamp",
"query": "@timestamp:[now-{{ctx.metadata.shorter_time}} TO now]"
}
}
},
"expose_olders_not_in_newers": {
"bucket_selector": {
"buckets_path": {
"older": "older._count",
"newer": "newer._count"
},
"script": "params.older > 0 && params.newer == 0"
}
}
}
},
"final_count": {
"stats_bucket": {
"buckets_path": "indices>_count"
}
}
}
}
}
}
},
"condition": {
"script": """
ctx.payload.aggregations.final_count.count > 0
"""
},
"actions": {
"log": {
"transform": {
"script": "return ctx.payload.aggregations.indices.buckets.stream().map(p -> ['index':p.key]).collect(Collectors.toList());"
},
"logging": {
"text": """
indices that had data 2 days ago, but not in last 1 day:
{{#ctx.payload._value}}
{{index}}
{{/ctx.payload._value}}
"""
}
}
}
}
}
@richcollier
Copy link
Author

snippet of output in DevTools:

      "actions": [
        {
          "id": "log",
          "type": "logging",
          "status": "success",
          "transform": {
            "type": "script",
            "status": "success",
            "payload": {
              "_value": [
                {
                  "index": "alert-messages-new"
                },
                {
                  "index": "alarm-messages"
                },
                {
                  "index": "stir_shaken-sign"
                },
                {
                  "index": "stir_shaken-verify"
                }
              ]
            }
          },
          "logging": {
            "logged_text": """
          indices that had data 2 days ago, but not in last 1 day:
            alert-messages-new
            alarm-messages
            stir_shaken-sign
            stir_shaken-verify
"""
          }
        }
      ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment