Conditions on top_hits results

jeffedwards · August 26, 2016, 6:12pm

Hello! I've got a series of devices logging status information. I've got an aggregation which breaks down the logs by their device name, and a top_hits aggregation to get the most recent log entries for each of these devices.

I'm trying to write the condition so it can look inside these hits and see if the time in each log entry is too long ago. Using array_compare now.

Gist of the Watch I'm PUTting in:
https://gist.github.com/jeffeDivert/7b213ae9683dc2b18c5686a50c99790c

I've also tried using array_compare to just look at each bucket's doc_count but it doesn't seem to be working as expected, despite the code coming from the reference guide example:

"condition" : {
  "array_compare": {
    "ctx.payload.aggregations.lastheartbeat.buckets" : { 
      "path": "doc_count",
      "lte": { 
        "value": 25000, 
        "quantifier": "some" 
      }
    }
  }
}

Seems to pull up an empty array:

"array_compare": {
                    "resolved_values": {
                      "ctx.payload.aggregations.lastheartbeat.buckets": []
                    }
                  }

I feel like I'm overlooking something simple. Setting the Condition to Always or doing a non-array compare on something above the buckets works as expected.

spinscale · August 27, 2016, 9:39am

hey,

can you show a response from the search as an example, so we can dig into this?

--Alex

jeffedwards · August 28, 2016, 10:57pm

Surely. Thanks!

gist.github.com

https://gist.github.com/jeffeDivert/3b0b878cd4833ca5b0568d78dd68a8ed

testWatchInput

GET hbtest03-2016.08.23/logs/_search
{
  "took": 106,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "hits": {

This file has been truncated. show original

jeffedwards · August 31, 2016, 2:00pm

I'd hope it was a simple mistake in the Watch on my part, but I'm not sure.

spinscale · September 5, 2016, 4:23pm

Hey,

sorry for the late response, just got back from being offline.

Can you run the Execute Watch API and post that output? Your watch condition looks ok, albeit the example output you pasted has no hits above the specified threshold, so I just want to check that output.

Also, I dont think that using datemath in the value is supported on top of my head - which you had in the gist that you pasted.

--Alex

jeffedwards · September 5, 2016, 7:34pm

Sorry: I discovered those results were only from a specific day's logs, but that wouldn't ultimately effect the watch.

The execution output on doc count:

gist.github.com

https://gist.github.com/jeffeDivert/a56c7c8312d89c41a5c363f2231ba995

gistfile1.txt

{
    "_id": "heartbeat_test_018_1-2016-09-05T19:11:11.538Z",
    "watch_record": {
        "watch_id": "heartbeat_test_018",
        "state": "execution_not_needed",
        "trigger_event": {
            "type": "manual",
            "triggered_time": "2016-09-05T19:11:11.538Z",
            "manual": {
                "schedule": {

This file has been truncated. show original

Execution output lists comparison date value under "resolved_values":

gist.github.com

https://gist.github.com/jeffeDivert/d8ac09a2ef85e9341ae13fe992242443

gistfile1.txt

{
    "_id": "heartbeat_test_018_1-2016-09-05T19:29:29.146Z",
    "watch_record": {
        "watch_id": "heartbeat_test_018",
        "state": "execution_not_needed",
        "trigger_event": {
            "type": "manual",
            "triggered_time": "2016-09-05T19:29:29.146Z",
            "manual": {
                "schedule": {

This file has been truncated. show original

It's figuring the datetime from the condition, but do you mean it's trying to compare int milliseconds to datetime?

spinscale · September 6, 2016, 7:31am

Hey,

there are no search results being returned in both of your gists. Neither hits nor aggs, because not a single document matched.

--Alex

jeffedwards · September 6, 2016, 2:50pm

Aha! My indices didn't include a wildcard character. Thanks!