1

I'm using elasticsearch 6.5.4, and a kibana watcher to alert. I have a filter range like so:

"filter": [
  {
    "range": {
      "@timestamp": {
        "gte": "{{ctx.trigger.scheduled_time}}||-{{ctx.metadata.triggered_interval}}m"
      }
    }
  }
]

The scheduled_time is every hour at the 5th minute (1:05, 2:05, etc.) The triggered_interval is 60.

I want to gather a range of @timestamps, ignoring the most recent 5 minutes. Basically, certain status messages might be too new to true errors, so want to ignore them.

I'm trying to craft this so it reads as: begin time is trigger.scheduled_time - 5m and end time is triggered_interval.

The range format is time1-time2, so scheduled_time-5m-triggered_interval is invalid syntax. I've tried a few iterations but nothing seems to work. The watcher just returns null pointer exception.

"gte": "<{{{ctx.trigger.scheduled_time}}||-5m}>-{{ctx.metadata.triggered_interval}}m"
"gte": "<{{ctx.trigger.scheduled_time}}||-5m>-{{ctx.metadata.triggered_interval}}m"
"gte": "{{ctx.trigger.scheduled_time}}||-5m-{{ctx.metadata.triggered_interval}}m"
"gte": "({{ctx.trigger.scheduled_time}}||-5m)-{{ctx.metadata.triggered_interval}}m"

Is this possible to do in the range filter?

fbat
  • 27
  • 9

1 Answers1

4

The elasticsearch date math functionality together with a range query should do the trick.

If you want to select all events older than 5 minutes and younger than 60 minutes, relative to the execution time, I´ll go with this: 

"filter": [
  {
    "range": {
      "@timestamp": {
        "lte": "now-5m/m",
        "gte": "now-60m/m"
      }
    }
  }
]

In other words: Get all events, where the @timestamp is older than 5 minutes but not older than 60 minutes with all @timestamps rounded to full minute. If you don´t need the rounding, just remove the /m.

Cheers!

ibexit
  • 3,465
  • 1
  • 11
  • 25