lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298
							[[actions]]
== Actions

When a watch's condition is met, its actions are executed unless it is being
<<actions-ack-throttle, throttled>>. A watch can perform multiple actions.
The actions are executed one at a time and each action executes independently.
Any failures encountered while executing an action are recorded in the
action result and in the watch history.

NOTE:	If no actions are defined for a watch, no actions are executed.
        However, a `watch_record` is still written to the watch history.

Actions have access to the payload in the execution context. They can use it to
support their execution in any way they need. For example, the payload might
serve as a model for a templated email body.

{watcher} supports the following types of actions:
<<actions-email, email>>, <<actions-webhook, webhook>>, <<actions-index, index>>,
<<actions-logging, logging>>, <<actions-hipchat, hipchat>>, <<actions-slack,
Slack>>, and <<actions-pagerduty, pagerduty>>.

[float]
[[actions-ack-throttle]]
=== Acknowledgement and Throttling

During the watch execution, once the condition is met, a decision is made per
configured action as to whether it should be throttled. The main purpose of
action throttling is to prevent too many executions of the same action for the
same watch.

For example, suppose you have a watch that detects errors in an application's log
entries. The watch is triggered every five minutes and searches for errors during
the last hour. In this case, if there are errors, there is a period of time where
the watch is checked and its actions are executed multiple times based on the same
errors. As a result, the system administrator receives multiple notifications about
the same issue, which can be annoying.

To address this issue, {watcher} supports time-based throttling. You can define
a throttling period as part of the action configuration to limit how often the
action is executed. When you set a throttling period, {watcher} prevents repeated
execution of the action if it has already executed within the throttling period
time frame (`now - throttling period`).

The following snippet shows a watch for the scenario described above - associating
a throttle period with the `email_administrator` action:

[source,js]
--------------------------------------------------
PUT _watcher/watch/error_logs_alert
{
  "metadata" : {
    "color" : "red"
  },
  "trigger" : {
    "schedule" : {
      "interval" : "5m"
    }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : "log-events",
        "body" : {
          "size" : 0,
          "query" : { "match" : { "status" : "error" } }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total.value" : { "gt" : 5 }}
  },
  "actions" : {
    "email_administrator" : {
      "throttle_period": "15m", <1>
      "email" : { <2>
        "to" : "sys.admino@host.domain",
        "subject" : "Encountered {{ctx.payload.hits.total.value}} errors",
        "body" : "Too many error in the system, see attached data",
        "attachments" : {
          "attached_data" : {
            "data" : {
              "format" : "json"
            }
          }
        },
        "priority" : "high"
      }
    }
  }
}
--------------------------------------------------
// CONSOLE
<1> There will be at least 15 minutes between subsequent `email_administrator`
		action executions.
<2> See <<actions-email, Email Action>> for more information.

You can also define a throttle period at the watch level. The watch-level
throttle period serves as the default throttle period for all of the actions
defined in the watch:

[source,js]
--------------------------------------------------
PUT _watcher/watch/log_event_watch
{
  "trigger" : {
    "schedule" : { "interval" : "5m" }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : "log-events",
        "body" : {
          "size" : 0,
          "query" : { "match" : { "status" : "error" } }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total.value" : { "gt" : 5 }}
  },
  "throttle_period" : "15m", <1>
  "actions" : {
    "email_administrator" : {
      "email" : {
        "to" : "sys.admino@host.domain",
        "subject" : "Encountered {{ctx.payload.hits.total.value}} errors",
        "body" : "Too many error in the system, see attached data",
        "attachments" : {
          "attached_data" : {
            "data" : {
              "format" : "json"
            }
          }
        },
        "priority" : "high"
      }
    },
    "notify_pager" : {
      "webhook" : {
        "method" : "POST",
        "host" : "pager.service.domain",
        "port" : 1234,
        "path" : "/{{watch_id}}",
        "body" : "Encountered {{ctx.payload.hits.total.value}} errors"
      }
    }
  }
}
--------------------------------------------------
// CONSOLE

<1> There will be at least 15 minutes between subsequent action executions
		(applies to both `email_administrator` and `notify_pager` actions)

If you do not define a throttle period at the action or watch level, the global
default throttle period is applied. Initially, this is set to 5 seconds. To
change the global default, configure the `xpack.watcher.execution.default_throttle_period`
setting in `elasticsearch.yml`:

[source,yaml]
--------------------------------------------------
xpack.watcher.execution.default_throttle_period: 15m
--------------------------------------------------

{watcher} also supports acknowledgement-based throttling. You can acknowledge a
watch using the {ref}/watcher-api-ack-watch.html[Ack Watch API] to prevent the
watch actions from being executed again while the watch condition remains `true`.
This essentially tells {watcher} "I received the notification and I'm handling
it, please do not notify me about this error again". An acknowledged watch action
remains in the `acked` state until the watch's condition evaluates to `false`.
When that happens, the action's state changes to `awaits_successful_execution`.

To acknowledge an action, you use the
{ref}/watcher-api-ack-watch.html[Ack Watch API]:

[source,js]
----------------------------------------------------------------------
POST _watcher/watch/<id>/_ack/<action_ids>
----------------------------------------------------------------------
// CONSOLE
// TEST[skip:https://github.com/elastic/x-plugins/issues/2513]

Where `<id>` is the id of the watch and `<action_ids>` is a comma-separated list
of the action ids you want to acknowledge. To acknowledge all actions, omit the
`actions` parameter.

The following diagram illustrates the throttling decisions made for each action
of a watch during its execution:

image::images/action-throttling.jpg[align="center"]


[[action-conditions]]
=== Adding conditions to actions

When a watch is triggered, its condition determines whether or not to execute the
watch actions. Within each action, you can also add a condition per action. These
additional conditions enable a single alert to execute different actions depending
on a their respective conditions. The following watch would always send an email, when
hits are found from the input search, but only trigger the `notify_pager` action when
there are more than 5 hits in the search result.

[source,js]
--------------------------------------------------
PUT _watcher/watch/log_event_watch
{
  "trigger" : {
    "schedule" : { "interval" : "5m" }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : "log-events",
        "body" : {
          "size" : 0,
          "query" : { "match" : { "status" : "error" } }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total.value" : { "gt" : 0 } }
  },
  "actions" : {
    "email_administrator" : {
      "email" : {
        "to" : "sys.admino@host.domain",
        "subject" : "Encountered {{ctx.payload.hits.total.value}} errors",
        "body" : "Too many error in the system, see attached data",
        "attachments" : {
          "attached_data" : {
            "data" : {
              "format" : "json"
            }
          }
        },
        "priority" : "high"
      }
    },
    "notify_pager" : {
      "condition": { <1>
        "compare" : { "ctx.payload.hits.total.value" : { "gt" : 5 } }
      },
      "webhook" : {
        "method" : "POST",
        "host" : "pager.service.domain",
        "port" : 1234,
        "path" : "/{{watch_id}}",
        "body" : "Encountered {{ctx.payload.hits.total.value}} errors"
      }
    }
  }
}
--------------------------------------------------
// CONSOLE

<1> A `condition` that only applies to the `notify_pager` action, which
    restricts its execution to when the condition succeeds (at least 5 hits in this case).

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/watcher/actions/email.asciidoc
include::actions/email.asciidoc[]

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/watcher/actions/webhook.asciidoc
include::actions/webhook.asciidoc[]

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/watcher/actions/index.asciidoc
include::actions/index.asciidoc[]

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/watcher/actions/logging.asciidoc
include::actions/logging.asciidoc[]

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/watcher/actions/hipchat.asciidoc
include::actions/hipchat.asciidoc[]

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/watcher/actions/slack.asciidoc
include::actions/slack.asciidoc[]

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/watcher/actions/pagerduty.asciidoc
include::actions/pagerduty.asciidoc[]

:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/watcher/actions/jira.asciidoc
include::actions/jira.asciidoc[]

[float]
[[actions-ssl-openjdk]]
=== Using SSL/TLS with OpenJDK

As each distributor is free to choose how to package OpenJDK, it may happen,
that even despite the exact same version, an OpenJDK distribution contains
different parts under different Linux distributions.

This can lead to issues with any action or input that uses TLS, like the `jira`,
`pagerduty`, `slack`, `hipchat` or `webhook` one, because of missing CA certs.
If you encounter TLS errors, when writing watches that connect to TLS endpoints,
you should try to upgrade to the latest available OpenJDK distribution for your
platform and if that does not help, try to upgrade to Oracle JDK.