Hi Team,
Kindly let me know how redefine the size of documents for avg calculation while using metricAgg in Watcher query.
tried the below, still it is counting for only 10 documents:
"aggs": {
"bucketAgg": {
"terms": {
"field": "message.keyword",
"size": 20,
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"avg": {
"field": "Time"
}
}
}
}
}
Please find below the full watch:
{
"trigger": {
"schedule": {
"interval": "30s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"index*"
],
"types": ,
"body": {
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "now-30s",
"to": "now"
}
}
}
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "message.keyword",
"size": 20,
"order": {
"metricAgg": "desc"
}
},
"aggs": {
"metricAgg": {
"avg": {
"field": "Time"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "if (ctx.payload.aggregations.metricAgg.value > params.threshold) { return true; } return false;",
"lang": "painless",
"params": {
"threshold": 1000
}
}
},
"actions": {
"email_admin": {
"throttle_period":"30s",
"email": {
"profile": "standard",
"to": [
"name.mail.com"
],
"subject": "ALERTS",
"body": {
"text": " WATCHER - Time exceeded 1000 "
}
}
}
}
}