Per_bucket monitor performance
0 views
Skip to first unread message
никита какдела
7:06 AM (2 hours ago) 7:06 AM
to Wazuh | Mailing List
Hi!
I've noticed that sometimes I don't receive a notification for a triggered alert, meaning the action isn't triggered.
I checked the cluster logs and saw this:
I've noticed that these errors often appear on both of my monitors. That is, these monitors sometimes send alerts correctly, and sometimes they don't, and I can't figure out what's causing this.
"""
I've noticed that sometimes I don't receive a notification for a triggered alert, meaning the action isn't triggered.
I checked the cluster logs and saw this:
I've noticed that these errors often appear on both of my monitors. That is, these monitors sometimes send alerts correctly, and sometimes they don't, and I can't figure out what's causing this.
"""
[2026-01-22T06:39:22,345][ERROR][o.o.n.c.t.WebhookDestinationTransport] [node-1] Exception sending webhook message X4L_5pkBS6jN-8SDuQFi: org.opensearch.notifications.spi.model.MessageContent@e87df90
[2026-01-22T06:58:49,820][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T06:59:02,315][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T06:59:02,374][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T07:06:15,094][ERROR][o.o.n.c.t.WebhookDestinationTransport] [node-1] Exception sending webhook message X4L_5pkBS6jN-8SDuQFi: org.opensearch.notifications.spi.model.MessageContent@576b9a8d
[2026-01-22T07:06:19,061][ERROR][o.o.a.BucketLevelMonitorRunner] [node-1] Failed to retrieve sample documents for alert hcWG5JsB-dPPuwmWgt0Z from trigger CVEEApsBoeamHjFYzAQF of monitor ClEEApsBoeamHjFYzAQL during execution ClEEApsBoeamHjFYzAQL_2026-01-22T07:06:18.998200819_7b9b6f74-a924-46c7-8283-d1a8e7a03d96.
[2026-01-22T07:06:19,280][ERROR][o.o.a.BucketLevelMonitorRunner] [node-1] Failed to retrieve sample documents for alert hcWG5JsB-dPPuwmWgt0Z from trigger CVEEApsBoeamHjFYzAQF of monitor ClEEApsBoeamHjFYzAQL during execution ClEEApsBoeamHjFYzAQL_2026-01-22T07:06:18.998200819_7b9b6f74-a924-46c7-8283-d1a8e7a03d96.
[2026-01-22T07:06:19,485][ERROR][o.o.a.BucketLevelMonitorRunner] [node-1] Failed to retrieve sample documents for alert hcWG5JsB-dPPuwmWgt0Z from trigger CVEEApsBoeamHjFYzAQF of monitor ClEEApsBoeamHjFYzAQL during execution ClEEApsBoeamHjFYzAQL_2026-01-22T07:06:18.998200819_7b9b6f74-a924-46c7-8283-d1a8e7a03d96.
[2026-01-22T08:34:42,189][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T08:37:52,580][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T06:58:49,820][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T06:59:02,315][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T06:59:02,374][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T07:06:15,094][ERROR][o.o.n.c.t.WebhookDestinationTransport] [node-1] Exception sending webhook message X4L_5pkBS6jN-8SDuQFi: org.opensearch.notifications.spi.model.MessageContent@576b9a8d
[2026-01-22T07:06:19,061][ERROR][o.o.a.BucketLevelMonitorRunner] [node-1] Failed to retrieve sample documents for alert hcWG5JsB-dPPuwmWgt0Z from trigger CVEEApsBoeamHjFYzAQF of monitor ClEEApsBoeamHjFYzAQL during execution ClEEApsBoeamHjFYzAQL_2026-01-22T07:06:18.998200819_7b9b6f74-a924-46c7-8283-d1a8e7a03d96.
[2026-01-22T07:06:19,280][ERROR][o.o.a.BucketLevelMonitorRunner] [node-1] Failed to retrieve sample documents for alert hcWG5JsB-dPPuwmWgt0Z from trigger CVEEApsBoeamHjFYzAQF of monitor ClEEApsBoeamHjFYzAQL during execution ClEEApsBoeamHjFYzAQL_2026-01-22T07:06:18.998200819_7b9b6f74-a924-46c7-8283-d1a8e7a03d96.
[2026-01-22T07:06:19,485][ERROR][o.o.a.BucketLevelMonitorRunner] [node-1] Failed to retrieve sample documents for alert hcWG5JsB-dPPuwmWgt0Z from trigger CVEEApsBoeamHjFYzAQF of monitor ClEEApsBoeamHjFYzAQL during execution ClEEApsBoeamHjFYzAQL_2026-01-22T07:06:18.998200819_7b9b6f74-a924-46c7-8283-d1a8e7a03d96.
[2026-01-22T08:34:42,189][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T08:37:52,580][ERROR][o.o.a.r.RestSearchMonitorAction] [node-1] The monitor parsing failed. Will return response as is.
[2026-01-22T10:21:43,173][ERROR][o.o.n.c.t.WebhookDestinationTransport] [node-1] Exception sending webhook message xF8JnJoBovKpQ5b8ijIc: org.opensearch.notifications.spi.model.MessageContent@61042c0e
[2026-01-22T10:24:43,255][ERROR][o.o.n.c.t.WebhookDestinationTransport] [node-1] Exception sending webhook message xF8JnJoBovKpQ5b8ijIc: org.opensearch.notifications.spi.model.MessageContent@3ef079c4
[2026-01-22T10:27:48,203][ERROR][o.o.n.c.t.WebhookDestinationTransport] [node-1] Exception sending webhook message xF8JnJoBovKpQ5b8ijIc: org.opensearch.notifications.spi.model.MessageContent@b0229c6
"""
I'd like you guys to look at my monitors and suggest how I can improve them or "lighten" them. Because one of the monitors has over 3,000 hits. I don't know if this is correct or not.
I pinned 2 txt files (my both JSON monitors) please look at this.
[2026-01-22T10:24:43,255][ERROR][o.o.n.c.t.WebhookDestinationTransport] [node-1] Exception sending webhook message xF8JnJoBovKpQ5b8ijIc: org.opensearch.notifications.spi.model.MessageContent@3ef079c4
[2026-01-22T10:27:48,203][ERROR][o.o.n.c.t.WebhookDestinationTransport] [node-1] Exception sending webhook message xF8JnJoBovKpQ5b8ijIc: org.opensearch.notifications.spi.model.MessageContent@b0229c6
"""
I'd like you guys to look at my monitors and suggest how I can improve them or "lighten" them. Because one of the monitors has over 3,000 hits. I don't know if this is correct or not.
I pinned 2 txt files (my both JSON monitors) please look at this.
Reply all
Reply to author
Forward
0 new messages