Here's one for the "is this possible?" category.
Is it possible to alert on specific conditions and aggregations of data within one index, without having to create an enormous number of watchers?
Consider this: I have an index with customer_name and usage as fields. I want to alert on when usage exceeds 80 for any given customer. I want to then throttle the alert but for that one customer only so that I can still intercept usage alerts for other customers.
In other words, a typical scenario would go like this:
- Acme Inc.'s usage goes above 80. An email is sent to the operator. The alert is then throttled for a day to let the operator deal with the situation.
- A couple of hours later, Northwind Traders' usage also goes above 80. An email is sent to the operator. The alert is then throttled for a day to let the operator deal with the situation.
Technically I could get this done by creating a watcher for every single customer in the index, but we can all agree making 100+ watchers by hand is no fun, let alone maintaining those for when customers join or leave.
I think there was a way to generate automatic watchers based on machine learning or anomaly detection but I'm not certain my use case fits... In my case, I'm not looking for outliers, but rather for values that go above a precise threshold, so it's not like there's any actual ML going on here.
Any clues? 