elasticsearch watcher 不显示格式正确的时间

Question

我正在构建一个观察器，以根据该索引何时收到失败作业的报告来发送警报。在 "Discover" 选项卡中，日期 NextRunDate 显示得非常好：

JobName      MyJobName
NextRunDate  Feb 29, 2020 @ 06:30 AM

但是当我尝试用 watcher 拉它时，它不知何故落后了：

"key" : "MyJobName",
"NextRunDate" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
    {
    "key_as_string" : "Feb 29 @ 11:30 AM (Minus 5 hours)",
    "doc_count" : 24,
    "key" : 1582975800000
    }
  ]
}

我不得不将“（负 5 小时）”部分添加到查询中，以便它暂时正确显示。这是完整的观察者：

POST _watcher/watch/_execute
{
    "watch": {
        "trigger": {
            "schedule": {
                "hourly": {
                    "minute": [
                        0,
                        15,
                        30,
                        45
                    ]
                }
            }
        },
        "input": {
            "search": {
                "request": {
                    "search_type": "query_then_fetch",
                    "indices": [
                        "prod-jobs-*"
                    ],
                    "rest_total_hits_as_int": true,
                    "body": {
                        "size": 0,
                        "query": {
                            "bool": {
                                "filter": {
                                    "range": {
                                        "timestamp": {
                                            "gte": "now-15h"
                                        }
                                    }
                                },
                                "must": [
                                    {
                                        "match_all": {}
                                    }
                                ]
                            }
                        },
                        "aggs": {
                            "JobName": {
                                "terms": {
                                    "field": "JobName.keyword",
                                    "size": 5000,
                                    "order": {
                                        "_key": "desc"
                                    }
                                },
                                "aggs": {
                                    "PackageName": {
                                        "terms": {
                                            "field": "Package_Name.keyword",
                                            "size": 5000,
                                            "order": {
                                                "_key": "desc"
                                            }
                                        },
                                        "aggs": {
                                            "Error_Message": {
                                                "terms": {
                                                    "field": "Error_Message.keyword",
                                                    "size": 5000,
                                                    "order": {
                                                        "_key": "desc"
                                                    }
                                                }
                                            }
                                        }
                                    },
                                    "FailedDate": {
                                        "terms": {
                                            "field": "StopExecutionDate",
                                            "format": "MMM d @ h:mm a '(Minus 5 hours)'"
                                        }
                                    },
                                    "NextRunDate": {
                                        "terms": {
                                            "field": "NextRunDate",
                                            "format": "MMM d @ h:mm a '(Minus 5 hours)'"
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        },
        "condition": {
            "compare": {
                "ctx.payload.hits.total": {
                    "gt": 0
                }
            }
        },
        "actions": {
            "email_1": {
                "email": {
                    "profile": "standard",
                    "to": [],
                    "subject": "{{ctx.metadata.name}} has triggered",
                    "body": {
                        "html": "<html> <head> <style> body { font-family: 'Lucida Sans', 'Lucida Sans Regular', 'Lucida Grande', 'Lucida Sans Unicode', 'Geneva', 'Verdana', 'sans-serif'; } table { margin-left: 15px; border-left: 1.5px solid gray } tr, th { font-size: x-small; white-space: nowrap; text-align: left; padding: 7.5px; } td { font-size: x-small; text-align: left; padding: 7.5px; } </style> </head> <body> <h3>Job Failures with Errors</h3> {{#ctx.payload.aggregations.JobName.buckets}} <table style='border-collapse: collapse; border-spacing: 0;'> <tr> <th>Job Name</th> <td>{{key}}</td> <tr> <th>{{#PackageName.buckets}}Package Name</th> <td>{{key}}</td> </tr> <tr> <th>Error Message(s)</th> <td>{{#Error_Message.buckets}}{{key}}<br>{{/Error_Message.buckets}}</td>{{/PackageName.buckets}} </tr> <tr> <th>Job Fail Date/Time: </th> <td>{{#FailedDate.buckets}}{{key_as_string}}</td>{{/FailedDate.buckets}} </tr> <tr> <th>Next Run Date/Time: </th> <td>{{#NextRunDate.buckets}}{{key_as_string}}</td>{{/NextRunDate.buckets}} </tr> </table> <br>{{/ctx.payload.aggregations.JobName.buckets}}<br> </body> </html>"
                    }
                }
            }
        },
        "metadata": {
            "time_window": "5m",
            "time_period": "1m"
        }
    }
}

不确定问题出在哪里，因为 kibana 本身在“发现”选项卡上正确显示了日期。我的 format 字段关闭了吗？

Answer 1

因此，经过一段时间的尝试，我得到了弹性支持团队的帮助，结果如下：

观察者虽然有时在 kibana 中配置，但最终是 elasticsearch 功能。简而言之，这意味着观察者在调用时检索到的时间（"key" : 1582975800000）是来自实际 elasticsearch 节点的时间。

所以我不得不在我的观察者中创建一个转换属性，就像这样：

return 
[ 
    'new_payload': ctx.payload.aggregations.JobName.buckets.stream().map(job -> 
    { 
        return [ 
        'JobName': job.key, 
        'FailedDate': LocalDateTime.ofEpochSecond((job.FailedDate.buckets[0].key) / 1000 , 0, ZoneOffset.of(\"-04:00\")).format(DateTimeFormatter.ofPattern('MMM d @ h:mm a')), 
        'PackageName': job.PackageName.buckets.0.key, 
        'ErrorMessages': job.PackageName.buckets.0.Error_Message.buckets.stream().map(errors -> { return errors }).collect(Collectors.toList()), 
        'NextRunOffset': LocalDateTime.ofEpochSecond((job.NextRunDate.buckets[0].key) / 1000 , 0, ZoneOffset.of(\"-04:00\")).format(DateTimeFormatter.ofPattern('MMM d @ h:mm a')) 
    ]}).collect(Collectors.toList()) 
]

elasticsearch watcher 不显示格式正确的时间

elasticsearch watcher not displaying correct time with format

elasticsearch

elasticsearch-watcher

elasticsearch-aggregation