This isn't a question, but just wanted to share something I've learned. There are similar posts that talk about nested aggregations, but nothing that quite explained what I was looking for.
Creating advanced watchers in Kibana is a crucial tool for promptly identifying when specific complex conditions occur.
A watcher can be configured to use mustache syntax to iterate over arrays. This is especially handy when you want to work with nested aggregations.
For example using this aggregation query part:
"aggs": {
"username": {
"terms": {
"field": "service.user_name",
"size": 25
},
"aggs": {
"top_froms": {
"top_hits": {
"_source": {
"includes": [
"transaction.from"
]
},
"size": 1
}
}
}
}
}
Could return something like this:
"aggregations": {
"username": {
"buckets": [
{
"key": "example_name_1",
"doc_count": 3,
"top_froms": {
"hits": {
"hits": [
{
"_source": {
"transaction": {
"from": "88888888"
}
}
}
]
}
}
},
{
"key": "example_name_2",
"doc_count": 2,
"top_froms": {
"hits": {
"hits": [
{
"_source": {
"transaction": {
"from": "99999999"
}
}
}
]
}
}
}
]
}
}
Which could then be accessed in a watcher action with:
{{#ctx.payload.aggregations.username.buckets}}from:{{#top_froms.hits.hits}}{{_source.transaction.from}}{{/top_froms.hits.hits}},count: {{doc_count}},username:{{key}}{{/ctx.payload.aggregations.username.buckets}}<br/>
Which would display the following:
from:88888888,count:3,username:example_name_1
from:99999999,count:2,username:example_name_2
Something to keep in mind is the nested mustache syntax (top_from.hits.hits) is relative to the parent (ctx.payload.aggregations.username.buckets).
Hopefully this will be helpful to others.