I'm using elasticsearch 6.5.4, and a kibana watcher to alert. I have a filter range like so:
"filter": [
{
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-{{ctx.metadata.triggered_interval}}m"
}
}
}
]
The scheduled_time is every hour at the 5th minute (1:05, 2:05, etc.) The triggered_interval is 60.
I want to gather a range of @timestamps, ignoring the most recent 5 minutes. Basically, certain status messages might be too new to true errors, so want to ignore them.
I'm trying to craft this so it reads as: begin time is trigger.scheduled_time - 5m and end time is triggered_interval.
The range format is time1-time2, so scheduled_time-5m-triggered_interval is invalid syntax. I've tried a few iterations but nothing seems to work. The watcher just returns null pointer exception.
"gte": "<{{{ctx.trigger.scheduled_time}}||-5m}>-{{ctx.metadata.triggered_interval}}m"
"gte": "<{{ctx.trigger.scheduled_time}}||-5m>-{{ctx.metadata.triggered_interval}}m"
"gte": "{{ctx.trigger.scheduled_time}}||-5m-{{ctx.metadata.triggered_interval}}m"
"gte": "({{ctx.trigger.scheduled_time}}||-5m)-{{ctx.metadata.triggered_interval}}m"
Is this possible to do in the range filter?
The elasticsearch date math functionality together with a range query should do the trick.
If you want to select all events older than 5 minutes and younger than 60 minutes, relative to the execution time, I´ll go with this:
"filter": [
{
"range": {
"@timestamp": {
"lte": "now-5m/m",
"gte": "now-60m/m"
}
}
}
]
In other words: Get all events, where the @timestamp is older than 5 minutes but not older than 60 minutes with all @timestamps rounded to full minute. If you don´t need the rounding, just remove the /m.
Cheers!