Loading...

Watcher or X-Pack Alerting is the commercial extension of Elasticsearch. The minimum requirement is a trial or gold license.

Administration

Some recipes

Read

curl -XGET 'localhost:9200/_xpack/watcher/watch/my_watch?pretty'

Delete

curl -XDELETE 'localhost:9200/_xpack/watcher/watch/my_watch?pretty'

Execute

curl -XPOST 'localhost:9200/_xpack/watcher/watch/my_watch/_execute?pretty'

Activate

curl -XPUT 'localhost:9200/_xpack/watcher/watch/my_watch/_activate?pretty'

Deactivate

curl -XPUT 'localhost:9200/_xpack/watcher/watch/my_watch/_deactivate?pretty'

Stats

curl -XGET 'localhost:9200/_xpack/watcher/stats?pretty'

Service Management

Start

curl -XPOST 'localhost:9200/_xpack/watcher/_start?pretty'

Stop

curl -XPOST 'localhost:9200/_xpack/watcher/_stop?pretty'

Restart

curl -XPOST 'localhost:9200/_xpack/watcher/_restart?pretty'

List all watch jobs

GET .watches/_search
{
  "_source": [ "id" ],
  "query": {
    "match_all": {}
  }
}

Example result

{
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "hits": {
    "total": 4,
    "max_score": 1,
    "hits": [
      {
        "_index": ".watches",
        "_type": "watch",
        "_id": "manage_history",
        "_score": 1
      },
      {
        "_index": ".watches",
        "_type": "watch",
        "_id": "logstash_error_watch",
        "_score": 1
      },
      {
        "_index": ".watches",
        "_type": "watch",
        "_id": "intrusion_detection",
        "_score": 1
      },
      {
        "_index": ".watches",
        "_type": "watch",
        "_id": "mem_watch",
        "_score": 1
      }
    ]
  }
}

Analyze failed Watches

Pay attention on the index name. Elasticsearch changes often. The current index name is .watcher-history-2-*

Reindex desired data first.

POST _reindex
{
  "source": {
    "index": ".watcher-history-2-2017.05",
    "query": {
      "bool": {
        "must": [
          {
            "query_string": {
              "analyze_wildcard": true,
              "query": "*"
            }
          },
          {
            "match": {
              "state": {
                "query": "failed",
                "type": "phrase"
              }
            }
          },
          {
            "range": {
              "trigger_event.triggered_time": {
                "gte": 1495490400000,
                "lte": 1495576800000,
                "format": "epoch_millis"
              }
            }
          }
        ],
        "must_not": []
      }
    }
  },
  "dest": {
    "index": "vinh"
  }
}

Do aggregation

GET vinh/_search
{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "query": "_exists_:exception.type.keyword",
            "analyze_wildcard": true
          }
        },
        {
          "match": {
            "state": {
              "query": "failed",
              "type": "phrase"
            }
          }
        },
        {
          "range": {
            "trigger_event.triggered_time": {
              "gte": 1495490400000,
              "lte": 1495576800000,
              "format": "epoch_millis"
            }
          }
        }
      ],
      "must_not": []
    }
  },
  "aggs": {
    "exceptions": {
      "terms": {
        "field": "exception.type.keyword"
      }
    }
  }
}