问题描述
我正在尝试模拟手表并查看操作是否正常触发。但我的问题是搜索没有返回结果。 我的查询
- 检查特定索引。
- 检查范围
- 检查 servicename 字段是否为特定值。
这是我的手表定义
{
"trigger": {
"schedule": {
"interval": "10m"
}
},"input": {
"search": {
"request": {
"search_type": "query_then_fetch","indices": [
"datasolutions-svc-*"
],"body": {
"query": {
"bool": {
"filter": [
{
"term": {
"level": {
"value": "ERROR"
}
}
},{
"term": {
"servicename": [
"Iit.Det.Urm.MepsSubscriber"
]
}
},{
"range": {
"@timestamp": {
"gte": "Now-60m"
}
}
}
]
}
}
}
}
}
},"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},"actions": {
"notify-slack": {
"slack": {
"account": "elastic_watcher_alerts","proxy": {
"host": "proxy.dom","port": 80
},"message": {
"from": "Error Monitor","to": [
"#det-errors"
],"text": "The following error(s) have been logged","dynamic_attachments": {
"list_path": "ctx.payload.items","attachment_template": {
"color": "#f00","title": "{{msg}}","title_link": "https://elastic.mid.dom:port/{{index}}/doc/{{id}}?pretty","text": "{{msg}}","fields": [
{
"title": "Server","value": "{{host}}","short": true
},{
"title": "Servicename","value": "{{service}}","short": true
}
]
}
}
}
}
}
},"transform": {
"script": {
"source": "['items': ctx.payload.hits.hits.collect(hit -> ['msg': hit._source.message,'service': hit._source.servicename,'index': hit._index,'id' : hit._id,'host': hit._source.agent.hostname ])]","lang": "painless"
}
}
}
我现在正在尝试通过使用模拟选项并为其提供输入来测试它。此输入是从索引中的实际数据复制而来的。我从kibana(在发现部分)复制了一个json文档,所以备用输入json应该没问题
这是替代输入
{
"_index": "datasolutions-svc-live-7.7.0-2021.01","_type": "doc","_id": "Hre9SHcB1QIqYEnyxSCw","_version": 1,"_score": null,"_source": {
"exception": "System.Data.sqlClient.sqlException (0x80131904): blabla","agent": {
"hostname": "SATSVC3-DK1","name": "datasolutions-svc-live","id": "8c826ae1-e411-4257-a31f-08824dd58b5a","type": "filebeat","ephemeral_id": "e355bf8a-be67-4ed1-85f4-b9043674700e","version": "7.7.0"
},"log": {
"file": {
"path": "D:\\logs\\7DaysRetention\\Iit.Det.Urm.MepsSubscriber\\Iit.Det.Urm.MepsSubscriber.log.20210128.log"
},"offset": 17754757
},"level": "ERROR","message": "Error while starting service.","@timestamp": "2021-02-17T10:00:28.343Z","ecs": {
"version": "1.5.0"
},"host": {
"name": "datasolutions-svc-live"
},"servicename": "Iit.Det.Urm.MepsSubscriber","codelocation": "Iit.Det.Urm.MepsSubscriber.MepsSubscriberService.OnStart:29"
},"fields": {
"@timestamp": [
"2021-02-17T10:00:28.343Z"
]
},"highlight": {
"servicename": [
"@kibana-highlighted-field@Iit.Det.Urm.MepsSubscriber@/kibana-highlighted-field@"
]
},"sort": [
1611833128343
]
}
但是当我运行“模拟”时,我得到 ctx.payload.total.hits 为空,因为显然它没有找到任何结果。模拟结果-
{
"watch_id": "_inlined_","node": "eMS-E34eT4-zZhGwtPNSmw","state": "execution_not_needed","user": "sum","status": {
"state": {
"active": true,"timestamp": "2021-02-17T10:57:04.077Z"
},"last_checked": "2021-02-17T10:57:04.077Z","actions": {
"notify-slack": {
"ack": {
"timestamp": "2021-02-17T10:57:04.077Z","state": "awaits_successful_execution"
}
}
},"execution_state": "execution_not_needed","version": -1
},"trigger_event": {
"type": "manual","triggered_time": "2021-02-17T10:57:04.077Z","manual": {
"schedule": {
"scheduled_time": "2021-02-17T10:57:04.077Z"
}
}
},"input": {
"search": {
"request": {
"search_type": "query_then_fetch","indices": [
"datasolutions-svc-*"
],"rest_total_hits_as_int": true,"body": {
"query": {
"bool": {
"filter": [
{
"term": {
"level": {
"value": "ERROR"
}
}
},{
"term": {
"servicename": [
"Iit.Det.Urm.MepsSubscriber"
]
}
},{
"range": {
"@timestamp": {
"gte": "Now-60m"
}
}
}
]
}
}
}
}
}
},"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},"Metadata": {
"name": "datasolutions-svc-mepssubscriber","xpack": {
"type": "json"
}
},"result": {
"execution_time": "2021-02-17T10:57:04.077Z","execution_duration": 0,"input": {
"type": "simple","status": "success","payload": {
"highlight": {
"servicename": [
"@kibana-highlighted-field@Iit.Det.Urm.MepsSubscriber@/kibana-highlighted-field@"
]
},"_index": "datasolutions-svc-live-7.7.0-2021.01","_source": {
"exception": "System.Data.sqlClient.sqlException (0x80131904): blabla","agent": {
"hostname": "SATSVC3-DK1","version": "7.7.0"
},"ecs": {
"version": "1.5.0"
},"log": {
"file": {
"path": "D:\\logs\\7DaysRetention\\Iit.Det.Urm.MepsSubscriber\\Iit.Det.Urm.MepsSubscriber.log.20210128.log"
},"offset": 17754757
},"host": {
"name": "datasolutions-svc-live"
},"codelocation": "Iit.Det.Urm.MepsSubscriber.MepsSubscriberService.OnStart:29"
},"sort": [
1611833128343
],"fields": {
"@timestamp": [
"2021-02-17T10:00:28.343Z"
]
},"_version": 1
}
},"condition": {
"type": "compare","met": false,"compare": {
"resolved_values": {
"ctx.payload.hits.total": null
}
}
},"actions": []
},"messages": []
}
我不确定它无法找到什么结果。有人能告诉我我做错了什么吗?
解决方法
我能够使用索引发现页面的“检查”部分解决它。
最后,我对观察者查询的输入必须更改为
"input": {
"search": {
"request": {
"search_type": "query_then_fetch","indices": [
"datasolutions-svc-*"
],"rest_total_hits_as_int": true,"body": {
"query": {
"bool": {
"must": [],"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"servicename": "Iit.Det.Urm.MepsSubscriber"
}
}
],"minimum_should_match": 1
}
},{
"match_phrase": {
"level": "ERROR"
}
},{
"range": {
"@timestamp": {
"gte": "now-10m","format": "strict_date_optional_time"
}
}
}
],"should": [],"must_not": []
}
}
}
}
}
}