How to display 0 count field values in Elastic DSL Query

Elastic Stack Elasticsearch
1

All,

I am trying to find out a way to display input field values in Elastic watcher which are having 0 count records.

For example my input fields and values are hostname=sample.com and source=/tmp/sample/log

I am using aggregations for these two fields, if i have the records it will show in bucket results along with the count but if i don't have the records the bucket result is not showing these fields with doc_count as 0. but i need the bucket results for dock_count 0 as well.

Sample DSL Query

{
"query": {
"bool": {
"must": ,
"filter": [
{
"match_all": {}
},
{
"match_phrase": {
"host.name": "sample.com"
}
},
{
"match_phrase": {
"log.file.path": "/tmp/sample.log"
}
},
{
"range": {
"message.timestamp": {
"gte": "now-15m"
}
}
}
],
"should": ,
"must_not":
}
},
"size": 0,
"aggs": {
"group": {
"composite": {
"sources": [
{
"host": {
"terms": {
"field": "host.name"
}
}
},
{
"source": {
"terms": {
"field": "log.file.path"
}
}
}
]
}
}
}
}

Query Output

{
"took" : 303,
"timed_out" : false,
"_shards" : {
"total" : 45,
"successful" : 45,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
"max_score" : null,
"hits" :
},
"aggregations" : {
"group" : {
"after_key" : {
"host" : "sample.com",
"source" : "/tmp/sample.log"
},
"buckets" : [
{
"key" : {
"host" : "sample.com",
"source" : "/tmp/sample.log"
},
"doc_count" : 34971
}
]
}
}
}

If i don't have the records my output is as below

{
"took" : 587,
"timed_out" : false,
"_shards" : {
"total" : 45,
"successful" : 45,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 0,
"relation" : "eq"
},
"max_score" : null,
"hits" :
},
"aggregations" : {
"group" : {
"buckets" :
}
}
}

Now, when ever i don't have records i need to get an alert along with my input values like below

host : sample.com source : /tmp/sample.log count : 0

If i have single values for input i can hard code it in watcher output section but i have multiple values for input, could some one help are there any aggregation functions which does this job or should i go with scripting only please suggest your thoughts

Thanks,

2

We made a fix in this area for Kibana 7.13 - [Alerting] Fixing Elasticsearch query rule to allow matching on 0 documents by ymao1 · Pull Request #97735 · elastic/kibana · GitHub - what version are you running?

3

Thank you for the update. We are running at 7.11.1

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.