Siren Platform User Guide

Watcher rule

To illustrate the trigger logic, we will create an alert for an aggregation against the data we just created. The basic Siren Alert example will use simple parameters:

  • Run each 60 seconds.
  • Target the daily mos-* index with query aggregation.
  • Trip condition when aggregations.avg.value < 3.
  • Email action with details.
curl -H "Content-Type: application/json" -XPUT http://127.0.0.1:9200/watcher/watch/mos -d'
{
  "trigger": {
    "schedule" : { "later" : "every 1 minute"  }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "<mos-{now/d}>", "<mos-{now/d-1d}>"  ],
        "body" : {
          "query" : {
            "filtered" : {
              "query": {
                "query_string": {
                  "query": "mos:*",
                  "analyze_wildcard": true
                }
              },
              "filter" : { "range" : { "@timestamp" : { "from" : "now-5m"  } } }
            }
          },
           "aggs": {
             "avg": {
               "avg": {
                 "field": "mos"
               }
             }
           }
        }
      }
    }
  },
  "condition" : {
    "script" : {
      "script" : "payload.aggregations.avg.value < 3"
    }
  },
  "transform" : {},
  "actions" : {
    "email_admin" : {
    "throttle_period" : "15m",
    "email" : {
      "to" : "mos@qxip.net",
      "from" : "sirenalert@qxip.net",
      "subject" : "Low MOS Detected: {{payload.aggregations.avg.value}} ",
      "priority" : "high",
      "body" : "Low MOS Detected:\n {{payload.aggregations.avg.value}} average with {{payload.aggregations.count.value}} measurements in 5 minutes"
    }
    }
  }
}'