Hi, I'm trying to create an alert from a query that returns theese data.
The query
GET data/_search
{
"aggs": {
"0": {
"terms": {
"field": "uuid.keyword",
"order": {
"_key": "desc"
},
"size": 500
},
"aggs": {
"order_value": {
"max": {
"field": "order"
}
}
}
}
},
"size": 0,
"fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"script_fields": {},
"stored_fields": [
"*"
],
"runtime_mappings": {},
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"range": {
"@timestamp": {
"gt": "now-1h",
"time_zone": "Europe/Madrid"
}
}
}
],
"should": [],
"must_not": []
}
}
}
the result
{
"took": 18,
"timed_out": false,
"_shards": {
"total": 12,
"successful": 10,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 25,
"relation": "eq"
},
"max_score": null,
"hits": []
},
"aggregations": {
"0": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "c3eff434-4bff-453a-8350-9c35ffa2f66f",
"doc_count": 1,
"order_value": {
"value": 8.300000190734863
}
},
{
"key": "GN-f9d64969-53ae-4c05-b5fd-d16538cde5c7",
"doc_count": 1,
"order_value": {
"value": 5
}
},
{
"key": "GN-cdcf17f7-08ee-41dd-9c1b-21ddb3d611e3",
"doc_count": 9,
"order_value": {
"value": 8.300000190734863
}
},
{
"key": "GN-b31c2dc5-ca39-4477-809e-929fc022261d",
"doc_count": 1,
"order_value": {
"value": 5
}
},
{
"key": "GN-3869086a-5530-4dad-8670-dc4e7409de65",
"doc_count": 9,
"order_value": {
"value": 8.300000190734863
}
},
{
"key": "GN-219d0f7f-860f-4fdf-a913-af84452d250e",
"doc_count": 1,
"order_value": {
"value": 2
}
},
{
"key": "681fae71-e458-4476-9b09-118384c6db88",
"doc_count": 1,
"order_value": {
"value": 8.300000190734863
}
},
{
"key": "1e26ac31-db09-4b70-8254-e9875443ec71",
"doc_count": 1,
"order_value": {
"value": 8.300000190734863
}
},
{
"key": "09fb6085-e034-46bb-8ba8-0df70986c00c",
"doc_count": 1,
"order_value": {
"value": 8.300000190734863
}
},
{
"key": "GN-91fda53c-7090-4a60-bb23-ef901aae3eca",
"doc_count": 4,
"order_value": {
"value": 12
}
},
{
"key": "GN-6968ac5c-7165-4e91-aae9-95a288657ce1",
"doc_count": 5,
"order_value": {
"value": 12
}
}
]
}
}
}
as you see some of the result has a value of 8.3.... and other one biger than 8.3.
theese data are fron few data how has order value betheen 1 and 12 and th aler who i'm trying to create are only for the data how the value of order is litter than 8.4 and does not have any log after with a higer value.
For example exist a log with uuid "A" how has the steps with the vaues of order 1, 2, 3, 4, 5, 6, 7, 8.1, 8.2 and 8.3 and it have been locked in this steps more than an hour (this is why i use in the time range the value '"gt": "now-1h" ') then it must be launch an alert.
so now i have the problem that if a uuid "B" have al the steps betheen 1 to 12 (obviusly it have the steps "order : 8.3 ") it fits in the alerts condition and it is launched too.
Exist any way to create the alert how only launch the mail when the order is equals to 8.3 and doesnt have any order step higer than 8.3? in case that have any order step higer it isnt launched the alert.
Thanck you