Hi , I had a Kibana watcher which will give aggregation buckets in below format
distinct_error_count:[
{
key:"Error 1 Occured",
distinct_count:6
},
{
key:"Error 2 Occured",
distinct_count:4
},
{
key:"Error 3 Occured",
disctinct_count:1
}]
I need to send email which contains these errors but before that I need to check for each and every key in distinct_error_count if distinct_count > threshold(dynamic value which can be placed anywhere in external or Elastic space).
In Splunk we have lookups which is csv file on the Splunk and can be retrieved in Splunk Alert.
Want to know if there we can create lookups in Elastic as above. If so, where I can create this file else Is there a way I can place this file externally and retrieve in Watcher?
I heard ingest pipeline is better in this scenario , Want in detail how can i implement this if applicable and any detailed example of entire watcher with this ingestion implementation will be useful for me.
Thanks in Advance for the help.