Hello i execute the following command in kibana console in order to get the values for the
GET /metricbeat-sdok-*/_search
{ "size": 0,
"aggs": {
"sasasa": {
"terms": {
"field": "windows.service.name.keyword"
}
}
}
}
the results are the following:
"aggregations" : {
"sasasa" : {
"doc_count_error_upper_bound" : 16745,
"sum_other_doc_count" : 2698205,
"buckets" : [
{
"key" : "ALG",
"doc_count" : 16745
},
{
"key" : "AeLookupSvc",
"doc_count" : 16745
},
{
"key" : "AppIDSvc",
"doc_count" : 16745
},
{
"key" : "AppMgmt",
"doc_count" : 16745
},
{
"key" : "AppReadiness",
"doc_count" : 16745
},
{
"key" : "AppXSvc",
"doc_count" : 16745
},
{
"key" : "Appinfo",
"doc_count" : 16745
},
{
"key" : "AudioEndpointBuilder",
"doc_count" : 16745
},
{
"key" : "Audiosrv",
"doc_count" : 16745
},
{
"key" : "BFE",
"doc_count" : 16745
}
]
}
Nevertheless i expected much more buckets because in my index that specific field takes more values as the image below show (for example the: browser value):
Why i cant get all the values that i have in my index for the specific variable when i execute the aggs command?
Thank you alot in advance
flash1293
February 7, 2020, 3:19pm
2
Hello Joe,
Thank you for your answer. But even when i put the size price:12 instead of 10 for example., i still get only 10 results.
GET /metricbeat-sdok-*/_search
{ "size": 12,
"aggs": {
"sasasa": {
"terms": {
"field": "windows.service.name.keyword"
}
}
}
}
"aggregations" : {
"sasasa" : {
"doc_count_error_upper_bound" : 39821,
"sum_other_doc_count" : 6413441,
"buckets" : [
{
"key" : "ALG",
"doc_count" : 39821
},
{
"key" : "AeLookupSvc",
"doc_count" : 39821
},
{
"key" : "AppIDSvc",
"doc_count" : 39821
},
{
"key" : "AppMgmt",
"doc_count" : 39821
},
{
"key" : "AppReadiness",
"doc_count" : 39821
},
{
"key" : "AppXSvc",
"doc_count" : 39821
},
{
"key" : "Appinfo",
"doc_count" : 39821
},
{
"key" : "AudioEndpointBuilder",
"doc_count" : 39821
},
{
"key" : "Audiosrv",
"doc_count" : 39821
},
{
"key" : "BFE",
"doc_count" : 39821
}
]
}
}
flash1293
February 11, 2020, 3:35pm
4
The "size" parameter should be next to the "field" parameter within the definition of the terms agg:
GET /metricbeat-sdok-*/_search
{
"aggs": {
"sasasa": {
"terms": {
"field": "windows.service.name.keyword",
"size": 12
}
}
}
}
Hello Joe,
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-sdok-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"terms": {
"host.hostname.keyword": [
"sag-dfo-009"
]
}
},
{
"terms": {
"windows.service.name.keyword": [
"AlwaysUpService.exe"
]
}
},
{
"terms": {
"windows.service.name.keyword": [
"system.process"
]
}
}
],
"must_not": {
"term": {
"system.process.state.keyword": "runsasaning"
}
},
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-120m"
}
}
}
]
}
}
}
}
}
},
"aggs": {
"sasasa": {
"terms": {
"field": "windows.service.name.keyword",
"size": 12
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"<alexandros.ananikidis@sag-ag.ch>"
],
"subject": "The AlwaysUpService.exe (which monitors the four instances: CATRIN Instanz 1, CATRIN Instanz 2, CATRIN Instanz 3, CATRIN Instanz 4) is not running",
"body": {
"text": "Watcher has detected {{ctx.payload.hits.total}} times that the AlwaysUpService.exe is not running in SAG-DFO-007(IP :10.1.161.225) the last 1 minute."
}
}
}
}
}
I get the message shown below:
I know that we cannot make aggs on string fields, but i dont use a string field, i use the .keyword part of that string field as the image shows below in the relative index pattern that is aggregatable as the image shows .
Thank you very much for your time
flash1293
February 12, 2020, 8:52am
6
Please open a separate issue if you have separate question. That being said, it would be much easier to help you if you would describe what you are trying to achieve up front instead of only disclosing the next part of the problem after you got one step further.
Hello Joe i will do exactly as you said.
thank you once again
Best regards,
system
March 11, 2020, 8:55am
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
