richcollier/alert_on_delta_actual_typical

## alert_on_delta_actual_typical
#only alert on critical anomalies with a delta of (actual-typical) > X
POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "5m"
      }
    },
    "metadata": {
      "job_id": "farequote_demo",
      "min_record_score": 75,
      "min_difference" : 100
    },
    "input": {
      "search": {
        "request": {
          "indices": [
            ".ml-anomalies-*"
          ],
          "body": {
            "query": {
              "bool": {
                "filter": [
                  {
                    "range": {
                      "timestamp": {
                        "gte": "now-5y"
                      }
                    }
                  },
                  {
                    "term": {
                      "result_type": "record"
                    }
                  },
                  {
                    "term": {
                      "job_id": "{{ctx.metadata.job_id}}"
                    }
                  },
                  {
                    "range": {
                      "record_score": {
                        "gte": "{{ctx.metadata.min_record_score}}"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "condition": {
      "script": """
      return ctx.payload.hits.hits.stream()
          .anyMatch(anomalies -> Math.abs(anomalies._source.actual.0-anomalies._source.typical.0) > ctx.metadata.min_difference);
        """
    },
    "actions": {
      "log": {
        "transform": {
          "script": """
      return ctx.payload.hits.hits.stream()
          .filter(anomalies -> Math.abs(anomalies._source.actual.0-anomalies._source.typical.0) > ctx.metadata.min_difference)
          .collect(Collectors.toList());"""
        },
        "logging": {
          "text": """
Anomalies:
==========
		{{#ctx.payload._value}}
		airline={{_source.partition_field_value}} exceeded threshold with actual={{_source.actual.0}} and typical={{_source.typical.0}}
		{{/ctx.payload._value}}
"""
        }
      }
    }
  }
}
	#only alert on critical anomalies with a delta of (actual-typical) > X
	POST _watcher/watch/_execute
	{
	"watch": {
	"trigger": {
	"schedule": {
	"interval": "5m"
	}
	},
	"metadata": {
	"job_id": "farequote_demo",
	"min_record_score": 75,
	"min_difference" : 100
	},
	"input": {
	"search": {
	"request": {
	"indices": [
	".ml-anomalies-*"
	],
	"body": {
	"query": {
	"bool": {
	"filter": [
	{
	"range": {
	"timestamp": {
	"gte": "now-5y"
	}
	}
	},
	{
	"term": {
	"result_type": "record"
	}
	},
	{
	"term": {
	"job_id": "{{ctx.metadata.job_id}}"
	}
	},
	{
	"range": {
	"record_score": {
	"gte": "{{ctx.metadata.min_record_score}}"
	}
	}
	}
	]
	}
	}
	}
	}
	}
	},
	"condition": {
	"script": """
	return ctx.payload.hits.hits.stream()
	.anyMatch(anomalies -> Math.abs(anomalies._source.actual.0-anomalies._source.typical.0) > ctx.metadata.min_difference);
	"""
	},
	"actions": {
	"log": {
	"transform": {
	"script": """
	return ctx.payload.hits.hits.stream()
	.filter(anomalies -> Math.abs(anomalies._source.actual.0-anomalies._source.typical.0) > ctx.metadata.min_difference)
	.collect(Collectors.toList());"""
	},
	"logging": {
	"text": """
	Anomalies:
	==========
	{{#ctx.payload._value}}
	airline={{_source.partition_field_value}} exceeded threshold with actual={{_source.actual.0}} and typical={{_source.typical.0}}
	{{/ctx.payload._value}}
	"""
	}
	}
	}
	}
	}