I am looking to build an alert rule where if the latest record for a module has an unexpected_state == true trigger the rule and if the most recent state is not unexpected_state == true generate no record which will allow the alert to self recover.
This is the DSL I have so far:
{
"size": 0,
"aggs": {
"modules": {
"terms": {
"field": "tcx_sys_beacons.module",
"size": 1000 // Adjust size as necessary
},
"aggs": {
"latest_record": {
"top_hits": {
"sort": [
{
"tcx_sys_time": {
"order": "desc"
}
}
],
"_source" : { "includes": ["tcx_sys_time", "tcx_sys_beacons.beacon_unexpected_state"]},
"size": 1
}
},
"unexpected_state": {
"bucket_selector": {
"buckets_path": {
"latestState": "latest_record[_source.tcx_sys_beacons.beacon_unexpected_state]"
},
"script": "params.latestState == true"
}
}
}
}
}}
However it generates this error which I have been unable to resolve:
{
"error": {
"root_cause": [],
"type": "search_phase_execution_exception",
"reason": "",
"phase": "rank-feature",
"grouped": true,
"failed_shards": [],
"caused_by": {
"type": "illegal_argument_exception",
"reason": "buckets_path must reference either a number value or a single value numeric metric aggregation, got: [LinkedHashMap] at aggregation [latest_record]"
}
},
"status": 400
}
Any help would be greatly appreciated! --Jeff