Kibana: alert with various fields

Guillermo_Valles_Cas · May 24, 2021, 10:08am

This is my scenario: I have two fields (A and B) and I would like to create an alert where if sum(A+B) > 90% (or A / B > 1) should trigger the alert. It is possible to do that with alerts with Kibana?

tsullivan · May 27, 2021, 12:47am

Hi, you can do this with runtime fields.

Create a runtime field, for example called ab_sum, in your metrics data that calculates the sum of the two fields. Then create a rule definition of an index threshold rule type that alerts when the calculated field is greater than 0.9.

As the example of how to define the rule, the when and threshold may look like:

When: max() of "ab_sum"
Threshold: is above 0.90

Guillermo_Valles_Cas · June 1, 2021, 6:36am

Would this script create that new field?

PUT my-index-000001/
{
  "mappings": {
    "runtime": {
      "ab_sum": {
        "type": "keyword",
        "script": {
          "source": "['a'].value + ['b'].value"
        }
      }
    }
  }
}

tsullivan · June 9, 2021, 12:03am

The type should be long - not keyword
The script should use the emit method to emit calculated values: Map a runtime field | Elasticsearch Guide [7.13] | Elastic

Example:

      "runtime": {
        "ab_sum": {
          "type": "long",
          "script": {
            "source": "emit(doc['field_a'].value + doc['field_b'].value)"
          }
        }
      }

system · July 7, 2021, 12:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.