Conditions on top_hits results

Elastic Stack Elasticsearch
1

Hello! I've got a series of devices logging status information. I've got an aggregation which breaks down the logs by their device name, and a top_hits aggregation to get the most recent log entries for each of these devices.

I'm trying to write the condition so it can look inside these hits and see if the time in each log entry is too long ago. Using array_compare now.

Gist of the Watch I'm PUTting in:
https://gist.github.com/jeffeDivert/7b213ae9683dc2b18c5686a50c99790c

I've also tried using array_compare to just look at each bucket's doc_count but it doesn't seem to be working as expected, despite the code coming from the reference guide example:

"condition" : {
  "array_compare": {
    "ctx.payload.aggregations.lastheartbeat.buckets" : { 
      "path": "doc_count",
      "lte": { 
        "value": 25000, 
        "quantifier": "some" 
      }
    }
  }
}

Seems to pull up an empty array:

"array_compare": {
                    "resolved_values": {
                      "ctx.payload.aggregations.lastheartbeat.buckets": []
                    }
                  }

I feel like I'm overlooking something simple. Setting the Condition to Always or doing a non-array compare on something above the buckets works as expected.

2

hey,

can you show a response from the search as an example, so we can dig into this?

--Alex

3

Surely. Thanks!

4

I'd hope it was a simple mistake in the Watch on my part, but I'm not sure.

5

Hey,

sorry for the late response, just got back from being offline.

Can you run the Execute Watch API and post that output? Your watch condition looks ok, albeit the example output you pasted has no hits above the specified threshold, so I just want to check that output.

Also, I dont think that using datemath in the value is supported on top of my head - which you had in the gist that you pasted.

--Alex

6

Sorry: I discovered those results were only from a specific day's logs, but that wouldn't ultimately effect the watch.

The execution output on doc count:

Execution output lists comparison date value under "resolved_values":

It's figuring the datetime from the condition, but do you mean it's trying to compare int milliseconds to datetime?

7

Hey,

there are no search results being returned in both of your gists. Neither hits nor aggs, because not a single document matched.

--Alex

8

Aha! My indices didn't include a wildcard character. Thanks!