Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Correct watcher event data example #56469

Merged
merged 3 commits into from
May 12, 2020
Merged

[DOCS] Correct watcher event data example #56469

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4de8bcc
[DOCS] Correct watcher event data example
jrodewig May 8, 2020
2c1d2db
use `logstash` index alias
jrodewig May 12, 2020
59aaa1a
Merge branch 'master' into docs__correct-meetup-watcher-ex
elasticmachine May 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 17 additions & 13 deletions x-pack/docs/en/watcher/example-watches/example-watch-meetupdata.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,7 @@ To set up the watch:
"search": {
"request": {
"indices": [
"<logstash-{now-1h}>", <1>
"<logstash-{now}>"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With ILM there will be an alias by default named logstash. Rather then trying to query the concrete indices, I think the example should just use a single index logstash and the note below call out that logstash is an alias.

In general we should avoid examples that include both time based (e.g. {now}) and rollover based (e.g. -00001) in favor of the fronting alias. The time stamp on the index when combined with rollover changes meaning such that it is the time when the index was created, not necessarily reflective of the content of that index (the content is dependent on the rollover rules). It is a distinction difficult to describe and the alias should be the preferred access across multiple rolled over indices.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jakelandis. I've updated this and the following snippet to use the logstash index alias with 2c1d2db.

Also added some more context around Logstash ILM defaults in the callout text.

"logstash" <1>
],
"body": {
"size": 0,
Expand All @@ -109,13 +108,13 @@ To set up the watch:
"aggs": {
"group_by_city": {
"terms": {
"field": "group.group_city.raw", <3>
"field": "group.group_city.keyword", <3>
"size": 5
},
"aggs": {
"group_by_event": {
"terms": {
"field": "event.event_url.raw", <4>
"field": "event.event_url.keyword", <4>
"size": 5
},
"aggs": {
Expand All @@ -130,7 +129,7 @@ To set up the watch:
"aggs": {
"group_by_event_name": {
"terms": {
"field": "event.event_name.raw" <6>
"field": "event.event_name.keyword" <6>
}
}
}
Expand All @@ -146,7 +145,13 @@ To set up the watch:
},
-------------------------------------------------
// NOTCONSOLE
<1> Elasticsearch Date math is used to select the Logstash indices that contain the meetup data. The second pattern is needed in case the previous hour crosses days.
<1> `logstash` is the default <<indices-add-alias,index alias>> for the {ls}
indices containing the meetup data. By default, the {ls}
<<index-lifecycle-management,{ilm} ({ilm-init})>> policy rolls this alias to a
new index when the index size reaches 50GB or becomes 30 days old. For more
information, see
{logstash-ref}/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-ilm[{ilm-init}
defaults in Logstash].
<2> Find all of the RSVPs with `Open Source` as a topic.
<3> Group the RSVPs by city.
<4> Consolidate multiple RSVPs for the same event.
Expand All @@ -159,7 +164,7 @@ To set up the watch:
--
[source,js]
--------------------------------------------------
"compare" : { "ctx.payload.hits.total.value" : { "gt" : 0 }}
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
--------------------------------------------------
// NOTCONSOLE
--
Expand Down Expand Up @@ -207,8 +212,7 @@ PUT _watcher/watch/meetup
"search": {
"request": {
"indices": [
"<logstash-{now-1h}>",
"<logstash-{now}>"
"logstash"
],
"body": {
"size": 0,
Expand All @@ -233,13 +237,13 @@ PUT _watcher/watch/meetup
"aggs": {
"group_by_city": {
"terms": {
"field": "group.group_city.raw",
"field": "group.group_city.keyword",
"size": 5
},
"aggs": {
"group_by_event": {
"terms": {
"field": "event.event_url.raw",
"field": "event.event_url.keyword",
"size": 5
},
"aggs": {
Expand All @@ -254,7 +258,7 @@ PUT _watcher/watch/meetup
"aggs": {
"group_by_event_name": {
"terms": {
"field": "event.event_name.raw"
"field": "event.event_name.keyword"
}
}
}
Expand All @@ -270,7 +274,7 @@ PUT _watcher/watch/meetup
},
"condition": {
"compare": {
"ctx.payload.hits.total.value": {
"ctx.payload.hits.total": {
"gt": 0
}
}
Expand Down