Cannot aggregate on an aggregated field

Hello,

I am creating the following alert :

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat-sdok-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "terms": {
                    "host.hostname.keyword": [
                      "sag-dfo-009"
                    ]
                  }
                },
                {
                  "terms": {
                    "windows.service.name.keyword": [
                      "AlwaysUpService.exe"
                    ]
                  }
                },
                {
                  "terms": {
                    "windows.service.name.keyword": [
                      "system.process"
                    ]
                  }
                }
              ],
              "must_not": {
                "term": {
                  "system.process.state.keyword": "runsasaning"
                }
              },
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-120m"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "aggs": {
  "sasasa": {
    "terms": {
      "field": "windows.service.name.keyword",
      "size": 12
                    }
               }
          },
  
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "<alexandros.ananikidis@sag-ag.ch>"
        ],
        "subject": "The AlwaysUpService.exe (which monitors the four instances: CATRIN Instanz 1, CATRIN Instanz 2, CATRIN Instanz 3, CATRIN Instanz 4) is not running",
        "body": {
          "text": "Watcher has detected {{ctx.payload.hits.total}} times that the AlwaysUpService.exe is not running in SAG-DFO-007(IP :10.1.161.225) the last 1 minute."
        }
      }
    }
  }
}

Then I get the error message shown below:

I know that we cannot make aggs on string fields, but i dont use a string field, i use the .keyword part of that string field as the image shows below in the relative index pattern that is aggregatable as the image shows .

So why i get that error?

Thank you

The error you're seeing is a syntax error in Watcher. Your Watcher configuration has the key aggs at the top level, instead of being part of the input query.

Hello Wylie,

I change my alert like that and no syntax errors anymore. But the alert is not triggered even though it should because the system.process.state.keyword": "runsasaning" is set on purpose like that in order to get alerts:
The alert body is like that:

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat-sdok-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "terms": {
                    "host.hostname.keyword": [
                      "sag-dfo-009"
                    ]
                  }
                },
                {
                  "terms": {
                    "windows.service.name.keyword": [
                      "AlwaysUpService.exe"
                    ]
                  }
                },
                {
                  "terms": {
                    "windows.service.name.keyword": [
                      "system.process"
                    ]
                  }
                }
              ],
              "must_not": {
                "term": {
                  "system.process.state.keyword": "runsasaning"
                }
              },
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-120m"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "sasasa": {
              "terms": {
                "field": "windows.service.name.keyword"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "<alexandros.ananikidis@sag-ag.ch>"
        ],
        "subject": "The AlwaysUpService.exe (which monitors the four instances: CATRIN Instanz 1, CATRIN Instanz 2, CATRIN Instanz 3, CATRIN Instanz 4) is not running",
        "body": {
          "text": "Watcher has detected {{ctx.payload.hits.total}} times that the AlwaysUpService.exe is not running in SAG-DFO-007(IP :10.1.161.225) the last 1 minute."
        }
      }
    }
  }
}

Thank you a lot in advance.

Best regards,
Alexandros

I can't help you with debugging Watcher. I recommend reading through the Watcher docs or asking in the Elasticsearch forums. https://www.elastic.co/guide/en/elasticsearch/reference/current/xpack-alerting.html https://discuss.elastic.co/c/elasticsearch/6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.