richcollier/alert_on_entity_in_an_interval.txt

## alert_on_entity_in_an_interval.txt
#alert on a specific entity during a time interval with a value of a field > X
POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "5m"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": [
            "farequote"
          ],
          "body": {
            "aggs": {
              "data_aggs_interval": {
                "date_histogram": {
                  "field": "@timestamp",
                  "fixed_interval": "1d"
                },
                "aggs": {
                  "tag_names": {
                    "terms": {
                      "field": "airline",
                      "size": 20
                    },
                    "aggs": {
                      "avg_resp": {
                        "avg": {
                          "field": "responsetime"
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "script": """
        for (def interval : ctx.payload.aggregations.data_aggs_interval.buckets) {
            for (def tag : interval.tag_names.buckets) {
                if (tag.key == "AAL" && tag.avg_resp.value > 110) {
                  return true;
                }
          }
        }
        """
    },
    "actions": {
      "log": {
        "transform": {
          "script": """
            def failed_tags = new ArrayList();
            for (def interval : ctx.payload.aggregations.data_aggs_interval.buckets) {
              for (def tag : interval.tag_names.buckets) {
                if (tag.key == "AAL" && tag.avg_resp.value > 110) {
                  def failed_tag = new HashMap();
                  failed_tag.put("date",interval.key_as_string);
                  failed_tag.put("tag_name",tag.key);
                  failed_tag.put("avg_resp",tag.avg_resp.value);
                  failed_tags.add(failed_tag);
                }
          }
        }
      return failed_tags;"""
        },
        "logging": {
          "text": """
Result:
==========
		{{#ctx.payload._value}}
		airline={{tag_name}} exceeded threshold with responsetime={{avg_resp}} at {{date}}
		{{/ctx.payload._value}}
"""
        }
      }
    }
  }
}
	#alert on a specific entity during a time interval with a value of a field > X
	POST _watcher/watch/_execute
	{
	"watch": {
	"trigger": {
	"schedule": {
	"interval": "5m"
	}
	},
	"input": {
	"search": {
	"request": {
	"indices": [
	"farequote"
	],
	"body": {
	"aggs": {
	"data_aggs_interval": {
	"date_histogram": {
	"field": "@timestamp",
	"fixed_interval": "1d"
	},
	"aggs": {
	"tag_names": {
	"terms": {
	"field": "airline",
	"size": 20
	},
	"aggs": {
	"avg_resp": {
	"avg": {
	"field": "responsetime"
	}
	}
	}
	}
	}
	}
	}
	}
	}
	}
	},
	"condition": {
	"script": """
	for (def interval : ctx.payload.aggregations.data_aggs_interval.buckets) {
	for (def tag : interval.tag_names.buckets) {
	if (tag.key == "AAL" && tag.avg_resp.value > 110) {
	return true;
	}
	}
	}
	"""
	},
	"actions": {
	"log": {
	"transform": {
	"script": """
	def failed_tags = new ArrayList();
	for (def interval : ctx.payload.aggregations.data_aggs_interval.buckets) {
	for (def tag : interval.tag_names.buckets) {
	if (tag.key == "AAL" && tag.avg_resp.value > 110) {
	def failed_tag = new HashMap();
	failed_tag.put("date",interval.key_as_string);
	failed_tag.put("tag_name",tag.key);
	failed_tag.put("avg_resp",tag.avg_resp.value);
	failed_tags.add(failed_tag);
	}
	}
	}
	return failed_tags;"""
	},
	"logging": {
	"text": """
	Result:
	==========
	{{#ctx.payload._value}}
	airline={{tag_name}} exceeded threshold with responsetime={{avg_resp}} at {{date}}
	{{/ctx.payload._value}}
	"""
	}
	}
	}
	}
	}