Understanding loops and variable index in alerting

joao.escusa · December 22, 2021, 6:04pm

Hello everyone.

I am new to world of ELK stacks and its alerting solutions.

In my current project, I have created a query with a variable number of buckets. Inside these buckets I have several values.

For example, each bucket has:

Queue: 36
AverageQueue: 27
Name: “some_name”

Among other values not yet in use.

I have created a for loop that compares Queue with AverageQueue for every bucket in a simple way like this.

boolean result;
int index = new int [number_of_bucket];

for (…){

result = Queue>AverageQueue;
if (result == true){
index[i] = i;
}
}

My questions are: Since the for loop will do this comparison for all the buckets, will the alert return TRUE if any of queue values are bigger than average queue, or will it only return TRUE if the last comparison is TRUE?

Additionally, I am saving the bucket number i in index. Can I use index somehow in the message for the alerts?

Thank you for your time.

jathin12 · December 23, 2021, 11:12pm

you cloud do something like this

ctx.results[0].transform = [:];
ctx.results[0].transform.high_queue_hosts = ctx.results[0].aggregations.Host.buckets.stream().filter( your condition).map(t → {return [‘host’: t.key, ‘queue_size’: t.queue_size.value ]}).collect(Collectors.toList())

and the you can use ctx.results[0].transform.high_queue_hosts in the actions section of your alert

joao.escusa · December 27, 2021, 10:30am

Thank you. I shall do some testing with this solution.

joao.escusa · December 27, 2021, 12:22pm

I managed to correct the syntax, but I now have a different error.

I believe the mapping is not working.

 "caused_by" : {
    "type" : "wrong_method_type_exception",
    "reason" : "cannot convert MethodHandle(Stream,Predicate)Stream to (Object,boolean)Object"
  }

joao.escusa · December 27, 2021, 2:56pm

After some confusion, and lack of code syntax, I managed to get some results with your approach.

Thank you very much, I will now try to manipulate the filters and what not and see if I achieve what I want.

joao.escusa · December 28, 2021, 9:35am

Ok, I can’t seem to understand how the filter works.

Could you provide me an example?

Thank you.

jathin12 · December 28, 2021, 1:57pm

"query": {
          "size": 100,
          "query": {
            "bool": {
              "must": [
                {
                  "term": {
                    "FieldA": {
                      "value": "ValueA"
                    }
                  }
                },
                {
                  "term": {
                    "FieldB": {
                      "value": "ValueB"
                    }
                  }
                },
                {
                  "range": {
                    "Timestamp": {
                      "from": "now-35m/m",
                      "to": "now-5m/m"
                    }
                  }
                }
              ],
              "filter": [
                {
                  "exists": {
                    "field": "FieldC"
                  }
                }
              ]
            }
          }

Topic		Replies	Views
A value from ctx not showing in alert message Alerting	1	720	August 17, 2021
Alerts - group by host/server Alerting	4	1711	February 14, 2024
Difficulty Understanding Creating Alerts on Amazon ES Alerting	2	770	October 4, 2019
How to iterate through Alert buckets Alerting	3	448	November 4, 2020
Trigger condition based on iteration Alerting	2	940	September 30, 2021

Understanding loops and variable index in alerting

Related Topics