I have an index that has a series of events:
[{
@timestamp: "...",
jobId: "123",
result: "failure",
},{
@timestamp: "...",
jobId: "567",
result: "success",
},{
@timestamp: "...",
jobId: "123",
result: "failure"
}]
I would like to be able to set up alerting based on conditions like, "the same job has failed 3 times in a row". I believe I could do this as long as I have a query that can tell me, for each unique value of some field (jobId in this example), how many times in a row another field (result) has a particular value (failure). If the most recent result was success, the count would be 0.
One simple (but clunky) approach would be just to query all the logs, sorted by @timestamp, and calculate it myself, but I wonder if it is possible to do by aggregation instead. I thought of using a scripted field but I don't if it's possible to tabulate only recent and consecutive docs across shards.
Any ideas whether this is possible and what techniques to look into to do it?