Kibana advanced watch: Sub Aggregation Max Alert


#1

Hello,

What would be the JSON for Advanced Watcher Alert on Maximum Score value, for each Unique (customer) ID.

Thank you!


(Josh Dover) #2

Without knowing your index mappings, I can't provide an exact JSON query, but you probably want to do a Terms Aggregation which will group the results into buckets, one for each unique value of the field.

Here's an example seach that may be close to what you need:

GET /_search
{
    "aggs" : {
        "customerId" : {
            "terms" : {
                "field" : "customerId",
                "order" : { "max_score" : "desc" }
            },
            "aggs" : {
                "max_score" : { "max" : { "field" : "score" } }
            }
        }
    }
}

#3

Hi Josh,

Attempt to provide index mapping,

Running script(row 7) produces no output.

Please advise.

Best Regards,

Mark Wharton

Sr.
Fraud Intelligence Engineer

PSCU
|
Risk Management

mawharton@pscu.com
| office: 844.367.7728
| mobile: 616.706.1022

560 Carillon Parkway**

**
St. Petersburg, FL 33716

signature_logo_final_96


(Josh Dover) #4

I think that request is showing up empty because no index matches the _pindrop* pattern. Can you provide the mappings of this request: GET /pindrop*/_mapping? (without the underscore before pindrop)


#5

Hi Josh,

Attached is PinDrop Mapping.

Best Regards,

Mark Wharton

Sr.
Fraud Intelligence Engineer

PSCU
|
Risk Management

mawharton@pscu.com
| office: 844.367.7728
| mobile: 616.706.1022

560 Carillon Parkway**

**
St. Petersburg, FL 33716

signature_logo_final_96

(Attachment PinDrop_Mapping.docx is missing)


(Josh Dover) #6

Looks like your attachment didn't make it. Can you post it directly in the reply on the forum?