Ok - after a little research, this could be done in probably two ways
Method 1 - a script on the condition to see if there's an intersection of results from both queries
"condition": {
"script": "def second_results = ctx.payload.second.hits.hits.stream().map(hit->hit._source.partition_field_value).collect(Collectors.toList()); return ctx.payload.first.hits.hits.stream().map(hit -> hit._source.partition_field_value).filter(p->second_results.contains(p)).collect(Collectors.toList()).size() > 0;"
},
"actions": {
"log": {
"logging": {
"text": "{{ctx.payload}}"
}
}
}
two things to note - first and second are the names of my two chained input queries. Essentially, the condition script takes the anomalies for the second query, and puts them in a map/list called second_results. Then do the same to the first query's results, but then test is to see if there's any intersection of items from the second_results list (test to see if the list of matches is bigger than 0). Secondly, note again that in my specific example, it is the partition_field_value that contains the name of the entities that I'm interested in.
In my little test, my first query returned 3 entities:
AAL ACA AWE
and the second query returned 2 entities:
ACA AAL
and my watch returns the expected intersection:
"condition": {
"type": "script",
"status": "success",
"met": true
},
"actions": [
{
"id": "log",
"type": "logging",
"status": "success",
"logging": {
"logged_text": "{_value=[AAL, ACA]}"
}
}
]
},
Method 2 - a smarter filtered terms query for the second query
You could also follow the model shown in this example:
Where the second query does a must and a terms filter that passes all of the items from the first query as itms that must exist in the second query. It uses mustache syntax to iterate through all instances of, in this case, process names
"terms": {
"process_host": [
"{{#ctx.payload.started_processes.aggregations.process_hosts.buckets}}{{key}}",
"{{/ctx.payload.started_processes.aggregations.process_hosts.buckets}}"
]
}
Hope that gives you some ideas