Difficulty Understanding Creating Alerts on Amazon ES

Plugins Alerting
1

Howdy Open Distro Crew,

I’m currently working through migrating existing watchers from my on-prem ES instance to a new AWS ES instance. I’m having some difficulty understanding all of the members or objects (I apologize for the bastardization of terminology) of the ctx variable that can used during the trigger and alert creation process.

Specifically,

The OpenDistro alerting documentation for monitors mentions that all query results are stored in an array with one element named “ctx.results[0]” but that doesn’t really explain to me all the ways I can use this array. For example, within the same documentation I can see other queries using ctx.results[0].hits.total , ctx.results[0].hits.hits[i] , ctx.results[0].hits.hits.length, ctx.results[0].aggregations.avg_cpu.value but those use cases are never documented. How am I to know all of the ways I can use the “ctx.results[0]” array?

Second, what is the proper way to return the number of hits a query had within an email subject / body? I believe the proper way is ctx.results[0].hits.total. However, when I use this method against a query that returned no results (expected) instead of displaying “0” it doesn’t display anything. Is this expected?

Thank you all for your time.

1 Like
2

Hi @elasticTrouble, the nested objects vary depending on the content of your documents. Ultimately, you’re dealing with the standard Elasticsearch response format for search requests. On the prior screen, when you’re creating the monitor, run the query a couple times so that you know what the response format looks like. Then you can start drilling down on the fields you care about. For example, the response format might look like this:

{
    "took": 171,
    "timed_out": false,
    "_shards": {
        "total": 5,
        "successful": 5,
        "skipped": 0,
        "failed": 0
    },
    "hits": {
        "total": {
            "value": 3,
            "relation": "eq"
        },
        "max_score": 0.2876821,
        "hits": [
            {
                "_index": "my-index",
                "_type": "_doc",
                "_id": "3",
                "_score": 0.2876821,
                "_source": {
                    "title": "some document"
                }
            },
            {
                "_index": "my-index",
                "_type": "_doc",
                "_id": "2",
                "_score": 0.2876821,
                "_source": {
                    "title": "some document"
                }
            },
            {
                "_index": "my-index",
                "_type": "_doc",
                "_id": "1",
                "_score": 0.2876821,
                "_source": {
                    "title": "some document"
                }
            }
        ]
    }
}

So here, you can refer to ctx.results[0].hits.total.value, ctx.results[0].hits.hits[1]._source.title, ctx.results[0].hits.hits[1]._id, etc.

But if your initial query included an aggregation, you might have some more interesting objects available to you in the Elasticsearch response, like in the avg_cpu example.

I suspect part of the confusion comes from a change Elastic made to 7.x, where it’s now hits.total.value rather than hits.total: Upgrade to 1.x.x - Open Distro Documentation

alerting
alerting1194×878 80.4 KB

1 Like
3

That’s exactly the information I was looking for. Thank you for taking the time to write that out. As somebody who has little experience with ES I really appreciate it.

To close the thread out, anyone who may be looking for the answer to my second question. To display the number of hits a monitor had in the message body it’s {{ctx.results.0.hits.total}}.