Configure elastic search query to alert when the average of Total time taken exceeds a threshold

Vanya · January 3, 2024, 6:28am

Hi All,
I am trying to write a search query for Kibana rules for it to alert when the average of the total time taken exceeds a certain thereshold. Have tried using aggegators, filters and also scripts but on testing the results are provided only for the code written in the query block and aggregators/scripts don't work. Here is one of the queries I had tried which did not work.
Here, I am matching the name and type to get set of record under it for which average time needs to be calculated based on total time for each of the records.

{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "name": "abc*"
          }
        },
        {
          "match": {
            "type": "A"
          }
        },
          {
          "match": {
            "avg_time": "2000"
          }
        }
      ]
    }
  },
"aggs": {
"avg_time": {
"avg": { "field": "TotalTime"}
}
}
}

lukas · January 4, 2024, 10:40pm

Have you tried using the bucket selector aggregation?

It would be something like this:

{
  "aggs": {
    "avg_time": {
      "avg": {
        "field": "TotalTime"
      },
      "aggs": {
        "avg_time_filter": {
          "bucket_selector": {
            "buckets_path": {
              "avgTime": "avg_time"
            },
            "script": "params.avgTime > 2000"
          }
        }
      }
    }
  }
}

Vanya · January 15, 2024, 6:02am

Hi @lukas

Thanks for your reply. I tested it out and a few more solutions around bucket selector too but the aggregators are not working within the rules configured for alerts. Since having "query" section is a mandate, whenever I add the query section, it gives results only of the query and if referenced with aggregators, it returns result of query + aggregators resulting in extra documents in the results.
My requirement is to match the documents with a particular name and type and calculate the average time for those documents and return result if the average time is above 2000. And on this particular result I want to add an alert to notify users when the 2k threshold is breached.

system · February 12, 2024, 6:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.