How to set watcher condition when aggregations doc_count greater then a value

Elastic Stack Elasticsearch
1

Hi,

I search heartbeat-* indices when status is down and want to send message to telegram

My DSL is ,

GET heartbeat-7.7.0*/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "monitor.status": "down"
          }
        }
      ],
      "filter": [
        {
          "range": {
            "@timestamp": {
              "gt": "now-5m"
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "alert": {
      "terms": {
        "field": "monitor.name"
      }
    }
  }
}

And aggregations result is

"aggregations" : {
    "alert" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "BC_Video_alert(BC)",
          "doc_count" : 990
        },
        {
          "key" : "AB_Video",
          "doc_count" : 5
        },
        {
          "key" : "SP_sport_alert(SABA)",
          "doc_count" : 2
        }
      ]
    }
  }

Is it passable to use watcher condition syntax, when aggregations.buckets.doc_count greater then a value

like syntax below, (but i don't know what correct syntax is)

ctx.payload.aggregations.buckets.doc_count > 20

then do some actions

thank you :slightly_smiling_face:

1 Like
2

you can do that, but a workaround might be to specify min_doc_count in the terms aggregation and then check for ctx.payload.aggregations.alert.buckets.size > 0

2 Likes
3

Thank you Alexander :smiling_face_with_three_hearts:

I fix the DSL syntax and it works !!

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "heartbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 5,
          "track_total_hits": true,
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "monitor.status": "down"
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gt": "now-5m",
                      "time_zone": "+08:00"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "alert": {
              "terms": {
                "field": "monitor.name",
                "min_doc_count": 5
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "return ctx.payload.aggregations.alert.buckets.size() > 0",
      "lang": "painless"
    }
  },
  "actions": {
    "my_webhook": {
      "webhook": {
        "scheme": "https",
        "host": "api.telegram.org"
~~~~~
2 Likes
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.