I'm trying to only get one unique data set returned based on source.keyword.
When I click on "Test Rule" I get this result Query matched 6 documents in the last 1m.
I'm streaming data in from a network device so I do get duplicate data sets sent within a minute and I would like to receive a unique data set based on source.keyword.
Then in the "Message" section of the rule, I have this handlebar code to print the data from the above search result:
I'm getting an email that prints all 6 documents that the DSL query matched. These 6 documents are duplicates. All six documents are from the same source. I would like the email to only return 1 unique data set. I hope that makes sense.
I don't know if there is a way in the handlebar code to parse the #context.hits to only return unique data? Or if the DSL query can be edited to accomplish this?
watcher allows for any arbitrary elasticsearch query or aggregation. You can then evaluate the result of that query using the script type of the condition to do anything you want.
There's a clue to what you need to do when you look at the contents of ctx. Notice that first of all, you need to reference the things by their hierarchy in the ctx object. So, really, ctx.payload.aggregations.unque_sources.sources.buckets is the array that you'll need to loop through (not ctx.payload.hits).
So, something like:
{{#ctx.payload.aggregations.airlines.buckets}}
IP={{key}} in slot {{top_source.hits.hits.0.slot}} had the following problem: {{top_source.hits.hits.0.description}}
{{/ctx.payload.aggregations.airlines.buckets}}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.