Can we compare two different aggregations when using condition - compare struct?
Example:
"condition": {
"compare" : { "ctx.payload.aggregations.top_number1.buckets" : { "eq" : "{{ctx.payload.aggregations.top_number2.buckets}}" }}
}
I'm trying to construct a watcher that will compare two fields and if they have the same value, this value will be returned.
Hey @Amanda, you can per Compare condition | Elasticsearch Guide [6.4] | Elastic
You can also compare two values in the execution context by specifying the compared value as a path of the form of
{{path}}. For example, the following condition compares thectx.payload.aggregations.status.buckets.error.doc_countto thectx.payload.aggregations.handled.buckets.true.doc_count:
{
"condition" : {
"compare" : {
"ctx.payload.aggregations.status.buckets.error.doc_count" : {
"not_eq" : "{{ctx.payload.aggregations.handled.buckets.true.doc_count}}"
}
}
}
Hi @Brandon_Kobel,
Can you help me with this? I think I'm doing something wrong cause my condition compare is not returning any result.
Here is a sample of what I've done, for now it is just a test.
{
"trigger": {
"schedule": {
"daily": {
"at": [
"09:00"
]
}
}
},
"input": {
"chain": {
"inputs": [
{
"first": {
"search": {
"request": {
"indices": [
"index-*"
],
"body": {
"query": {
"bool": {
"filter": [
{
"query_string": {
"query": "host:localhost AND _exists_:port",
"analyze_wildcard": true
}
},
{
"range": {
"@timestamp": {
"gte": "now-1d",
"lt": "now"
}
}
}
]
}
},
"aggs": {
"local": {
"terms": {
"field": "port",
"size": 10
}
}
}
}
}
}
}
},
{
"second": {
"search": {
"request": {
"indices": [
"index-*"
],
"body": {
"query": {
"bool": {
"filter": [
{
"query_string": {
"query": "host:tbc AND _exists_:port",
"analyze_wildcard": true
}
},
{
"range": {
"@timestamp": {
"gte": "now-1d",
"lt": "now"
}
}
}
]
}
},
"aggs": {
"tbc1": {
"terms": {
"field": "port",
"size": 10
}
}
}
}
}
}
}
}
]
}
},
"condition": {
"compare": {
"ctx.payload.hit.aggregations.local.buckets.key": {
"eq": "{{ctx.payload.aggregations.tbc1.buckets.key}}"
}
}
},
"actions": {
"log": {
"logging": {
"text": "they are equal!"
}
}
}
}
Hey,
It's much better to ditch the compare condition here and go with the script condition if you want to compare to response values of the a search input.
Also note that the paths you are referring to, do not match with your configured chain input. The names of the the inputs are first and second respectively, which can be anything, but those names need to be used to refer to them.
In addition, the output of an aggregation includes an array of buckets, so you cannot directly address the keys. The example below checks if the first two buckets are equal - this may or may not be what you are after.
"script": {
"source" : "return ctx.payload.first.aggregations.local.buckets[0].key == ctx.payload.second.aggregations.tbc1.buckets[0].key"
}
If you take a step back and explain your use case a bit more detailed (without any mention of Elasticsearch, just the problem you are trying to solve), we might come with a completely different solution than this one, as I am not sure it fits every case (like comparing only the first output of the aggregation buckets).
Hope this helps!
Hi,
I have only one index and i want to compare two fields value and get the result, they are the same fields but may have different values from different requests.
I wanna compare them and check if they have the same value, I would receive an e-mail showing me the requests.
For example: If the values of the field host are the same, then a message would be logged
Index: index-*
fields: 1. host:star
2. port:1221
Index: index-*
fields: 1. host:star
2. port:3697
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.