<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2877026&amp;fmt=gif">

Elastic Watcher in Five Minutes

By prashant kadatare - August 27, 2021

X-Pack exposes REST APIs that can be used by the UI components and can be called directly to configure and access X-Pack features. Watcher APIs is one such feature that we are going to discuss in this blog.

Elasticsearch has astounding documentation for the majority of its APIs. But, when you are running short of time, you’re looking to just try it out quickly. This five-minutes read will assist you on that front.

PUT _xpack/watcher/watch/watch_name
{
“trigger” : {},
“input” : {},
“condition” : { },
“transform” : { },
“actions” : {}
}

This is a simple elastic call that can be executed in Kibana console. This call will create an Elastic Watcher with the name “watch_name”. Here, we will discuss each element separately:

Trigger

Determines when the watch execution process should start. You can either provide a cron expression or specify a period in terms of intervals.

"trigger" : {
"schedule" : {
"interval" : "5m"
}
}

This is an interval based trigger that will execute in a five-minute interval once the Watcher is created.

Input

Input is the source from where we fetch the data and load it into the execution context. The result from this input is called a “watcher payload” or “context payload”. Watcher supports four types of inputs:

  • simple: load static data into the execution context
  • search: load the results of a search into the execution context
  • http: load the results of an HTTP request into the execution context
  • chain: use a series of inputs to load data into the execution context

Condition

It is used to decide whether we should invoke a Watcher action or not. Default is true.

"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
}

Transformation

A “Transform” processes and changes the payload in the watch execution context to prepare it for the watch actions.

Action

It is executed when conditions are met. Eg. Send an email, send a slack message, call a rest service, add loggers, etc.,

"actions": {
"log": {
"logging": {
"text": "We got the expected error"
}
}
}

Watcher APIs

1.Create Watcher


PUT _xpack/watcher/watch/watch_name
{
\\Body
}

2. Get Watcher

GET _xpack/watcher/watch/watch_name

3. Activate/Deactivate watcher

PUT _xpack/watcher/watch/watch_name/_activate/

PUT _xpack/watcher/watch/watch_name/_deactivate

4. Execute Watcher

PUT _xpack/watcher/watch/watch_name/_execute

So our final Watcher looks something like this:

PUT _xpack/watcher/watch/log_error_watch
{
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"search": {
"request": {
"indices": ["logs"],
"body": {
"query": {
"match": {
"message": "error"
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"log": {
"logging": {
"text": "We got the expected error"
}
}
}
}

Highlights about the Watcher definition above:

  • This Watcher will execute once every 10 minutes
  • It will look for a particular log with the specified status in the input i.e. the search query
  • In the event that the condition is fulfilled, it will execute the action
  • In the action, we simply add a logger in the elastic log, which you can check in the elastic console

This should get you started with Watchers.

Below, I have provided a sample Watcher which will execute different kinds of actions. You can refer to them and create a new one with your desired requirements.

(Note: Please check the below sample queries to add a new logs index and feed it with data)

Steps to follow

Step 1: Add a new index logs

PUT logs

Step 2: Add mapping for the newly added index

PUT logs/_mapping/event
{
"properties":
{
"request": { "type": "keyword" },
"status_code": { "type": "keyword" },
"message": { "type": "keyword" },
"timestamp": { "type": "date" }
}
}

Step 3: Add a document to this index which will satisfy the Watcher condition

POST logs/event
{
"timestamp" : "2015-05-17T18:12:07.613Z",
"request" : "GET index.html",
"status_code" : 404,
"message" : "Error: File not found"
}

Step 4: Execute the Watcher

PUT _xpack/watcher/watch/log_error_watch/_execute

A more advanced version is noted below. But for this, you might need to perform some basic setup, like configuring an email account/slack account (Mail & Slack), web-hook implementations for elastic, etc.

PUT _xpack/watcher/watch/log_error_watch
{
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"search": {
"request": {
"indices": ["logs"],
"body": {
"query": {
"match": {
"message": "error"
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"log": {
"logging": {
"text": "We got the expected error"
}
},
"email_action": {
"email": {
"to": "test@gmail.com",
"subject": "Encountered errors",
"body": "Too many 404 error in the system, see attached data",
"attachments": {
"attached_data": {
"data": {
"format": "json"
}
}
}
}
},
"webhook_action": {
"webhook": {
"method": "POST",
"host": "localhost",
"port": 1234,
"path": "/",
"body": "Encountered errors"
}
},
"notify-slack": {
"throttle_period": "5m",
"slack": {
"message": {
"to": [
"#admins",
"@chief-admin"
],
"text": "Encountered errors in the last 5 minutes (facepalm)"
}
}
}
}
}
Author
prashant kadatare

Tags: Cloud Cloud Services Kibana Elasticsearch Sla Watcher