Hmm, so I think you should only need one transform. In that transform you should use your "real" data index, then add a lookup runtime field that queries your "forecast" index.
Maybe something like;
PUT _transform/asdf
{
"source": {
"index": [
"metrics-kubernetes.container-private.kubernetes.development"
],
"runtime_mappings": {
"ml_forecast": {
"type": "lookup",
"target_index": ".ml-anomalies-custom-kubernetes_container_resource_regressions_development",
"input_field": "kubernetes.pod.name"
"target_field": "kubernetes.pod.name",
"fetch_fields": ["forecast_*"]
}
}
},
"pivot": {
"group_by": {
"kubernetes.pod.name": {
"terms": {
"field": "kubernetes.pod.name"
}
},
"kubernetes.container.name": {
"terms": {
"field": "kubernetes.container.name"
}
},
"ml_forecast": {
"terms": {
"field": "ml_forecast"
}
}
},
"aggregations": {
"kubernetes.container.cpu.usage.nanocores.avg": {
"avg": {
"field": "kubernetes.container.cpu.usage.nanocores"
}
}
}
},
"dest": {
"index": "asdf"
},
"sync": {
"time": {
"field": "@timestamp"
}
}
}
This is just a theoretical example, I'm not 100% sure it will work. Just more to demonstrate the idea.
Note, it looks like you can't add lookup runtimes via the Kibana UI, I opened this issue about it. So, you'll need to create the transform via the Elasticsearch API.