Comparing the last aggregated sub bucket count in the watcher condition

Hi Team,

I am working on a watcher alert which will send an alert when the last aggregated bucket doc_count crossed certain value. Could you please help me how to achieve it to compare the last sub backets doc_count value. I have used array_compare in the wacther condition as below.

My aggregation:
"aggs": {
"dc_aggs": {
"terms": {
"field": "dc"
},
"aggs": {
"rule_aggs": {
"terms": {
"field": "rule"
},
"aggs": {
"alertid_aggs": {
"terms": {
"field": "alertid"
},
"aggs": {
"primary_page_aggs": {
"terms": {
"field": "primary_page"
},
"aggs": {
"activity_aggs": {
"terms": {
"field": "activity"
},
"aggs": {
"last_input_aggs": {
"terms": {
"field": "last_input"
},
"aggs": {
"last_step": {
"terms": {
"field": "last_step"
},
"aggs": {
"stack_aggs": {
"terms": {
"field": "stack"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}

I want to compare the count of last sub bucket "stack_aggs" doc_count > some value. is it possible. I have tried like below but it is not working. Please help me how can i do it.

"condition": {
"array_compare": {
"ctx.payload.aggregations.dc_aggs.buckets.rule_aggs.buckets.alertid_aggs.buckets.primary_page_aggs.buckets.activity_aggs.buckets.last_input_aggs.buckets.last_step.buckets.stack_aggs.buckets": {
"path": "doc_count",
"gt": {
"value": 170,
"quantifier": "some"
}
}
}
}

Please take the time to properly format your messages. This forums supports markdown and code snippets, which improves your readability a lot.

Also, can you share the response to figure out the right path?

Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.