Advanced Watch calculate buckets

Elastic Stack Elasticsearch
1

I want to create a advanced watch wich count a specific operation of specific service during more than 1 second to execute. If the number of cases is greater than 1% of total of cases, the watch send a alert. Ex: (duration / total > 0,01 )

My goal is to be able to divide the number of cases that during more than 1s by total of cases to obtain the percentage.

I did a query with the two aggs that i need for the division, but i can't reach the calculate part.

Is it even possible? If so, how?

My query:

GET test-*/_search?size=0
{
"query": {
"term": {
"Service.keyword": "se"
}
},
"aggs": {
"total": {
"filter": {
"term": {
"Operation.keyword": "op"
}
},
"aggs": {
"duration": {
"filter": {
"range": {
"Duration": {
"gte": 1000
}
}
}
}
}
}
}
}

Result:

{
"took" : 328,
"timed_out" : false,
"_shards" : {
"total" : 52,
"successful" : 52,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 334,
"max_score" : 0.0,
"hits" :
},
"aggregations" : {
"total" : {
"doc_count" : 296,
"duration" : {
"doc_count" : 19
}
}
}
}

2

I already found the solution!

Solution:

GET test-*/_search?size=0
{
"query": {
"bool": {
"must": [{
"term": {
"Service.keyword": "se"}},
{"term": {"Operation.keyword": "op"}},
{"range": {"@timestamp": {"gte": "now-1h"}}}]}},
"aggs": {
"result": {
"filters": {
"filters": {
"ALL": {
"match_all": {}}}},
"aggs": {
"TOTAL": {
"filter": {
"term": {
"Service.keyword": "OTT/Service"}},
"aggs": {
"total_count": {
"value_count": {
"field": "Operation.keyword"}}}},
"partial": {
"filter": {
"range": {
"Duration": {
"gte": 1000,
"lte": null}}},
"aggs": {
"partial_count": {
"value_count": {
"field": "Operation.keyword"}}}},
"convert_ratio": {
"bucket_script": {
"buckets_path": {
"total": "TOTAL>total_count",
"partial": "partial>partial_count"},
"script": "params.partial/params.total"}}}}}}

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.