This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Adding conditions to Watcher actions
editAdding conditions to Watcher actions
editWhen a watch is triggered, its condition determines whether or not to execute the
watch actions. Within each action, you can also add a condition per action. These
additional conditions enable a single alert to execute different actions depending
on a their respective conditions. The following watch would always send an email, when
hits are found from the input search, but only trigger the notify_pager
action when
there are more than 5 hits in the search result.
resp = client.watcher.put_watch( id="log_event_watch", trigger={ "schedule": { "interval": "5m" } }, input={ "search": { "request": { "indices": "log-events", "body": { "size": 0, "query": { "match": { "status": "error" } } } } } }, condition={ "compare": { "ctx.payload.hits.total": { "gt": 0 } } }, actions={ "email_administrator": { "email": { "to": "[email protected]", "subject": "Encountered {{ctx.payload.hits.total}} errors", "body": "Too many error in the system, see attached data", "attachments": { "attached_data": { "data": { "format": "json" } } }, "priority": "high" } }, "notify_pager": { "condition": { "compare": { "ctx.payload.hits.total": { "gt": 5 } } }, "webhook": { "method": "POST", "host": "pager.service.domain", "port": 1234, "path": "/{{watch_id}}", "body": "Encountered {{ctx.payload.hits.total}} errors" } } }, ) print(resp)
const response = await client.watcher.putWatch({ id: "log_event_watch", trigger: { schedule: { interval: "5m", }, }, input: { search: { request: { indices: "log-events", body: { size: 0, query: { match: { status: "error", }, }, }, }, }, }, condition: { compare: { "ctx.payload.hits.total": { gt: 0, }, }, }, actions: { email_administrator: { email: { to: "[email protected]", subject: "Encountered {{ctx.payload.hits.total}} errors", body: "Too many error in the system, see attached data", attachments: { attached_data: { data: { format: "json", }, }, }, priority: "high", }, }, notify_pager: { condition: { compare: { "ctx.payload.hits.total": { gt: 5, }, }, }, webhook: { method: "POST", host: "pager.service.domain", port: 1234, path: "/{{watch_id}}", body: "Encountered {{ctx.payload.hits.total}} errors", }, }, }, }); console.log(response);
PUT _watcher/watch/log_event_watch { "trigger" : { "schedule" : { "interval" : "5m" } }, "input" : { "search" : { "request" : { "indices" : "log-events", "body" : { "size" : 0, "query" : { "match" : { "status" : "error" } } } } } }, "condition" : { "compare" : { "ctx.payload.hits.total" : { "gt" : 0 } } }, "actions" : { "email_administrator" : { "email" : { "to" : "[email protected]", "subject" : "Encountered {{ctx.payload.hits.total}} errors", "body" : "Too many error in the system, see attached data", "attachments" : { "attached_data" : { "data" : { "format" : "json" } } }, "priority" : "high" } }, "notify_pager" : { "condition": { "compare" : { "ctx.payload.hits.total" : { "gt" : 5 } } }, "webhook" : { "method" : "POST", "host" : "pager.service.domain", "port" : 1234, "path" : "/{{watch_id}}", "body" : "Encountered {{ctx.payload.hits.total}} errors" } } } }