Alert query for multiple indexes

Elastic Stack Elasticsearch
1

I have an elastic search cluster with multiple indexes for example

Index A:

{
  temperature: value,
  hysteresis: value,

} 
...

Index B:

{
  door: value,
  level:value
}

i am using kibana alert plugin for generating alert and then notify.

i want to generate alert if temperature and hysteresis value grater than 75 and door value 0 (temp>=75 and hysteresis>=75 and door =0 ) .I tried with following is my monitor query

{
  "query": {
    "bool": {
      "should": [
        {
          "bool": {
            "must": [
                {
                    "range": {
                        "timestamp": {
                            "from": "{{period_end}}||-1m",
                            "to": "{{period_end}}",
                            "include_lower": true,
                            "include_upper": true,
                            "format": "epoch_millis",
                            "boost": 1
                        }
                    }
                },
                {
                    "range": {
                        "door": {
                            "from": null,
                            "to": 1,
                            "include_lower": false,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                }

            ]
          }
        },
        {
          "bool": {
            "must": [
                {
                    "range": {
                        "timestamp": {
                            "from": "{{period_end}}||-1m",
                            "to": "{{period_end}}",
                            "include_lower": true,
                            "include_upper": true,
                            "format": "epoch_millis",
                            "boost": 1
                        }
                    }
                },
                {
                    "range": {
                        "temperature": {
                            "from": 70,
                            "to": null,
                            "include_lower": false,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                },
                {
                    "range": {
                        "Hysteresis": {
                            "from": 75,
                            "to": null,
                            "include_lower": false,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                }
            ]
          }
        }
      ]
    }
  }
}

it hit either door condition or temp or hysteresis condition match in one minutes.

I want monitor query hit if condition(temp>=75 and hysteresis >=75 and door =0 ) match in one minute.

I tried replacing "should" with "must" but it gives nothing.

How to write monitor query for multiple index

2

hi @komal_d_patil, welcome to the Elastic community forum!!

In the effort of getting to the simplest reproduction of your issue, taking aside the temporal aspects, I run these commands in the DevTools console to generate a couple of index with a shared key:

# Doors index
PUT doors
{
  "mappings": {
    "properties": {
      "door": { "type": "integer"},
      "type": { "type": "keyword"}
    }
  }
}

POST doors/_bulk
{ "index" : { "_index" : "doors", "_id" : "1" } }
{ "door" : 1, "type": "single" }
{ "index" : { "_index" : "doors", "_id" : "2" } }
{ "door" : 2, "type": "single" }
{ "index" : { "_index" : "doors", "_id" : "3" } }
{ "door" : 3, "type": "double" }
{ "index" : { "_index" : "doors", "_id" : "4" } }
{ "door" : 4, "type": "double" }

# Temperature index referring to doors
PUT temps
{
  "mappings": {
    "properties": {
      "door": { "type": "integer"},
      "value": { "type": "float"}
    }
  }
}

POST temps/_bulk
{ "index" : { "_index" : "temps", "_id" : "1" } }
{ "door" : 1, "value": 20 }
{ "index" : { "_index" : "temps", "_id" : "2" } }
{ "door" : 1, "value": 25 }
{ "index" : { "_index" : "temps", "_id" : "3" } }
{ "door" : 2, "value": 30 }
{ "index" : { "_index" : "temps", "_id" : "4" } }
{ "door" : 2, "value": 35 }
{ "index" : { "_index" : "temps", "_id" : "5" } }
{ "door" : 3, "value": 10 }
{ "index" : { "_index" : "temps", "_id" : "6" } }
{ "door" : 4, "value": 20 }

With that in place, I could do a search that gets the temperatures that are higher than value for a given door using the following query, returning only the document with _id: 2 in the temps index:

POST /_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "terms": {
            "_index": [
              "doors",
              "temps"
            ]
          }
        },
        {
          "term": {
            "door": 1
          }
        },
        {
          "range": {
            "value": {
              "gte": 22
            }
          }
        }
      ]
    }
  }
}

I guess the core of the issue was to use the _index term filter, right?

Moving this to the elasticsearch forum, since this is not directly related to alerting, at least for the querying part. Also, @komal_d_patil note that I formatted your question to help on readability.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.