Hi all,
First of all, sorry if my question is too simple but I'm relatively new to elastic.
I have to create a new rule in Kibana that checks every hour if the sum of the 'records' field of the documents in the index for a specific transaction (transaction H7A0) is greater than 150000. If the value is greater than that it should jump the rule to send an email.
I have created this query in devtools:
GET jdbc-db2-transaction-cpu-*/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"terms": {
"transaction_id.keyword": ["H7A0"]
}
}
],
"filter": [
{
"range": {
"fecha": {
"gte": "now-60m"
}
}
}
]
}
},
"aggs": {
"transaction": {
"terms": {
"field": "transaction_id.keyword"
},
"aggs": {
"sum_H7A0_records": {
"sum": {
"field": "records"
}
}
}
}
}
}
And if I executed it I see I get the correct value in sum_H7A0_records field (in this case 211598
{
"took": 253,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 6,
"relation": "eq"
},
"max_score": null,
"hits": []
},
"aggregations": {
"transaction": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "H7A0",
"doc_count": 6,
"sum_H7A0_records": {
"value": 211598
}
}
]
}
}
}
How can I do it so that in this case, for example, the rule returns 1 hit (not the 6 it returns) since the value is greater than 150000 and no hits if it's below 150000?
best regards
Borja
!