Skip to content

Instantly share code, notes, and snippets.

@sonnydoza

sonnydoza/ml_watcher.json Secret

Created October 10, 2019 13:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sonnydoza/1ee02261e051eeeee40a29e5a2f074ed to your computer and use it in GitHub Desktop.
Save sonnydoza/1ee02261e051eeeee40a29e5a2f074ed to your computer and use it in GitHub Desktop.
Download ZIP
ml_watcher
Raw
ml_watcher.json
{
"trigger": {
"schedule": {
"interval": "102s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
".ml-anomalies-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 15,
"query": {
"bool": {
"filter": [
{
"term": {
"job_id": "ml-metricbeat_metricbeat_outages_ecs"
}
},
{
"range": {
"timestamp": {
"gte": "now-20m"
}
}
},
{
"terms": {
"result_type": [
"bucket",
"record",
"influencer"
]
}
}
]
}
},
"aggs": {
"bucket_results": {
"filter": {
"range": {
"anomaly_score": {
"gte": 75
}
}
},
"aggs": {
"top_bucket_hits": {
"top_hits": {
"sort": [
{
"anomaly_score": {
"order": "desc"
}
}
],
"_source": {
"includes": [
"job_id",
"result_type",
"timestamp",
"anomaly_score",
"is_interim"
]
},
"size": 1,
"script_fields": {
"start": {
"script": {
"lang": "painless",
"source": "LocalDateTime.ofEpochSecond((doc[\"timestamp\"].value.getMillis()-((doc[\"bucket_span\"].value * 1000)\n * params.padding)) / 1000, 0, ZoneOffset.UTC).toString()+\":00.000Z\"",
"params": {
"padding": 10
}
}
},
"end": {
"script": {
"lang": "painless",
"source": "LocalDateTime.ofEpochSecond((doc[\"timestamp\"].value.getMillis()+((doc[\"bucket_span\"].value * 1000)\n * params.padding)) / 1000, 0, ZoneOffset.UTC).toString()+\":00.000Z\"",
"params": {
"padding": 10
}
}
},
"timestamp_epoch": {
"script": {
"lang": "painless",
"source": "doc[\"timestamp\"].value.getMillis()/1000"
}
},
"timestamp_iso8601": {
"script": {
"lang": "painless",
"source": "doc[\"timestamp\"].value"
}
},
"score": {
"script": {
"lang": "painless",
"source": "Math.round(doc[\"anomaly_score\"].value)"
}
}
}
}
}
}
},
"influencer_results": {
"filter": {
"range": {
"influencer_score": {
"gte": 3
}
}
},
"aggs": {
"top_influencer_hits": {
"top_hits": {
"sort": [
{
"influencer_score": {
"order": "desc"
}
}
],
"_source": {
"includes": [
"result_type",
"timestamp",
"influencer_field_name",
"influencer_field_value",
"influencer_score",
"isInterim"
]
},
"size": 3,
"script_fields": {
"score": {
"script": {
"lang": "painless",
"source": "Math.round(doc[\"influencer_score\"].value)"
}
}
}
}
}
}
},
"record_results": {
"filter": {
"range": {
"record_score": {
"gte": 3
}
}
},
"aggs": {
"top_record_hits": {
"top_hits": {
"sort": [
{
"record_score": {
"order": "desc"
}
}
],
"_source": {
"includes": [
"result_type",
"timestamp",
"record_score",
"is_interim",
"function",
"field_name",
"by_field_value",
"over_field_value",
"partition_field_value"
]
},
"size": 3,
"script_fields": {
"score": {
"script": {
"lang": "painless",
"source": "Math.round(doc[\"record_score\"].value)"
}
}
}
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.bucket_results.doc_count": {
"gt": 0
}
}
},
"actions": {
"log": {
"logging": {
"level": "info",
"text": "Alert for job [{{ctx.payload.aggregations.bucket_results.top_bucket_hits.hits.hits.0._source.job_id}}] at [{{ctx.payload.aggregations.bucket_results.top_bucket_hits.hits.hits.0.fields.timestamp_iso8601.0}}] score [{{ctx.payload.aggregations.bucket_results.top_bucket_hits.hits.hits.0.fields.score.0}}]"
}
},
"slack_2": {
"slack": {
"message": {
"to": [
"#any_channel"
],
"text": "Some message"
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment