Alerts for missing results during the last week

Hi
Would it be possible to create a watcher using two different overlapping time ranges and get the delta (subtract the results and get only those that are missing)

I'm trying to create an alert that checks my last week's results and compares them to my last month's results and finds what I missed

{
  "trigger": {
    "schedule": {
      "daily": {
        "at": [
          "08:00"
        ]
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "my_index"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "alert: my_alerts"
                  }
                },
                {
                  "range": {
                    "collection_date": {
                      "gte":"**now-<should be 7 and 30>d/d**", "lte": "now/d"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "aggregations": {
              "terms": {
                "size": 10000,
                "field": "category.keyword"
              }
            }
          }
        }
      }
    }
  },

Seems like the best way to do this is to use a chain input and have the first query be for the older timeframe, and the second query is for the newer timeframe.

Or alternatively, you could do two different filter aggregations (each with a different time range) and then use a bucket_selector aggregation to expose only the terms that are in one of the time ranges, but not the other. See example here:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.