KQL syntax for serial difference/delta filter

hi guys,

my numeric data is coming aggregating , so i am using aggregation "sum of serial difference of values" to take delta...how do i put this delta in KQL filter in search box...
example
value1 : 20
value 2: 50
delta : 30

need KQL syntax to get results detla 30

That's not what KQL is for. As documented, KQL is only capable of filtering documents: Kibana Query Language | Kibana Guide [7.11] | Elastic

thanks..then how do we put a filter in watcher JSON to get only those docs where "delta" is greater than particular value...

for example ,
value 1: 50, doc:1
value2 : 50, doc:2
value 3: 100, doc : 3 - delta : 50 ,

need to set a filter in watcher alert when delta is greater than 0

You will need to write an Advanced Watcher using the query DSL. The derivative pipeline aggregation is the function you are looking for, which is an aggregation, not a query.

hi ,

i am using below condition in advanced watcher

"condition" : {
"script" : {
"source" : "return (ctx.payload.aggregations.3.buckets.4.buckets.2.buckets.1-metric.value) > params.threshold",
"params" : {
"threshold" : 0
}
}},

whereas my payload result in simulation output is..

i need to put a condition when 1-metric value is greater than zero , then trigger action ...but its giving exception for condition in painless...can you assist here how to put condition in painless

"result": {
"execution_time": "2021-03-05T10:07:55.927Z",
"execution_duration": 13,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 4,
"failed": 0,
"successful": 4,
"skipped": 0
},
"hits": {
"hits": ,
"total": 124,
"max_score": null
},
"took": 11,
"timed_out": false,
"aggregations": {
"3": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"4": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"2": {
"buckets": [
{
"key_as_string": "2021-03-02T11:00:00.000+03:00",
"doc_count": 1,
"1-metric": {
"value": 0
},
"key": 1614672000000
}

i tried to use below loops but giving error

	"condition": {
  "script": {
    "source": """

for(int i = 0; i < ctx.payload.aggregations.3.buckets.length; i++) {
for(int j = 0; j < ctx.payload.aggregations.3.buckets.4.buckets.length; j++) {
for(int k = 0; k < ctx.payload.aggregations.3.buckets.4.buckets.2.buckets.length; k++){
if ( ['ctx.payload.aggregations.3.buckets.4.buckets.2.buckets.1-metric.value'] > 1)
return true;

}

}
}

return false;
"""

}}

I'm sorry, but I am not able to help you with your painless scripts because I don't know how. We have a separate forum for discussion of watcher/alerting scripts and you should ask your question there: Topics tagged stack-alerting

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.