ElasticSearch Watcher

Table Of Contents

  • purpose
  • How to use

Purpose

This guide explains how you can trigger action for any error caused by the executing of an incoming or route configuration.

How to use

  1. Replace CUSTOMER_INDICE_NAME with the actual name of the indices, e.g. alumio-uat.
  2. Set up the interval you want to work the script with. Default is 5 minutes.
    a. You have to change this on line 4 and line 28.
  3. Configure the desired action.
    a. It.could be a message to Teams;
    b. It could be a message to Slack;
    c. An email;
    d. Anything with a communication protocol.
  4. Go to the correct Elastic/Kibana instance and add the script as an ‘advanced’ watcher.
    a. Open Kibana.
    b. Navigate to Management → Stack Management.
    c. Using the on-page navigation navigate to Alerts and Insights → Watcher.
    d. Press Create and then Create advanced watcher.
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "CUSTOMER_INDICE_NAME-filebeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 500,
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "@fields.level": "400"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-5m",
                      "lt": "now"
                    }
                  }
                },
                {
                  "exists": {
                    "field": "@fields.scope.incoming_id"
                  }
                }
              ],
              "must_not": [
                {
                  "term": {
                    "@message": "Exception in incoming process"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions": {
    "log_hits": {
      "foreach": "ctx.payload.hits.hits",
      "max_iterations": 500,
      "logging": {
        "level": "info",
        "text": "ERROR | {{ctx.payload._source.@message}} | {{ctx.payload._source.@fields.scope.incoming_id}} | {{ctx.payload._source.@fields.scope.route_id}}"
      }
    }
  }
}