My goal is to set up an alert which is only triggered if one of the term's count is at least the 10% of the other one. In my final aggregation (third), I get two key and doc counts to compare.
For example, in the query, I'm looking for all non-US visitors, but it's only interesting to me if the none-US/US doc count rate is above 10 percent.
Hey,
you can setup the alert condition to check if the values of your two buckets differ by more than 10 percent.
The examples repo might help a bit.
--Alex
I've to check that if ctx.payload.secondinchain.aggregations.first.buckets.second.buckets.third.buckets.0.doc_count divided with the same buckets other doc count (if present) ctx.payload.secondinchain.aggregations.first.buckets.second.buckets.third.buckets.1.doc_count
is over 0.1 .
But I get various syntax errors by using that method.
Also, I want to filter out the results in the same bucket.
//filter out this one:
... "buckets": [
{
"doc_count": 13,
"key": "NON-US"
},
{
"doc_count": 2238,
"key": "US"
}
]
},
"key": "registration"
}
...
//keep this one
... "buckets": [
{
"doc_count": 130,
"key": "NON-US"
},
{
"doc_count": 600,
"key": "US"
}
]
},
"key": "discounts"
}
...
Could you please point me into the direction where I can check how to refer to those values correctly?
where is the script you tested with? Can you provide the full watch?
This is how the current watch looks:
{
"trigger" : { "schedule" : { "interval" : "1m" } },
"input" : {
"chain" : {
"inputs" : [
{
"firstchain" : {
"search" : {
"request" : {
"indices" : [ "<index-{now/d}>","<index-{now}>" ],
"types" : [ "type1" ],
"body" : {
"size" : 1,
"query" : {
"bool": {
"must": [ { "match_phrase": { "country": "US" } },
{ "range" : { "@timestamp" : { "from" : "now-1h" }}}
]
}
},
"aggs": {
"countries": {
"terms": { "field": "country.keyword",
"order": { "_count": "desc" }
},
"aggs": {
"pages" : {
"terms": {
"field": "page.keyword",
"min_doc_count": 10,
"order": {
"_term": "desc"
}
}
}
}
}
}
}
}
}
}
},
{
"secondchain" : {
"search" : {
"request" : {
"indices" : [ "<index-{now/d}>","<index-{now}>" ],
"types" : [ "type1" ],
"body" : {
"size" : 1,
"query" : {
"bool": {
"must": { "range" : { "@timestamp" : { "from" : "now-1h" }}},
"should": { "terms": {
"page.keyword": [
"{{#ctx.payload.firstchain.aggregations.country.buckets}}{{#page.buckets}}{{key}}","{{/page.buckets}}{{/ctx.payload.firstchain.aggregations.country.buckets}}"
]
}},
"minimum_should_match" : "1",
"filter": { "terms": {
"country.keyword": ["US","non-US"]
}}
}
},
"aggs": {
"sites": {
"terms": {
"field": "site.keyword",
"order": {
"_count": "desc"
}
},
"aggs": {
"pages": {
"terms": {
"field": "page.keyword",
"order": {
"_count": "desc"
}
},
"aggs": {
"countries" : {
"terms": {
"field": "country.keyword",
"order": {
"_term": "desc"
}
}
}
}
}
}
}
}
}
}
}
}
}
]
}
},
"condition" : {
{
"script": "return (ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.0.doc_count / ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.1.doc_count) > 0.1;"
}
},
"actions" :{
"send_email" : {
"throttle_period": "4m",
"email" : {
"to" : "to@me.com",
"subject" : "-",
"body" : { "html": ""
}
}
}
}
}Hey,
this is pretty lengthy. In order to debug I also need the output of the execute watch API or the latest watch history entry (of course only when there is a problem executing, not the good case).
--Alex
Hello!
"exception": {
"type": "script_exception",
"reason": "runtime error",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "Illegal list shortcut value [pages].",
"stack_trace": "java.lang.IllegalArgumentException: Illegal list shortcut value [pages].\n\tat org.elasticsearch.painless.Def.lookupGetter(Def.java:458)\n\tat org.elasticsearch.painless.DefBootstrap$PIC.lookup(DefBootstrap.java:147)\n\tat org.elasticsearch.painless.DefBootstrap$PIC.fallback(DefBootstrap.java:201)\n\tat org.elasticsearch.painless.Executable$Script.execute(return (ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.0.doc_count / ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.1.doc_count) > 0.1; @ <inline scri ...:67)\n\tat org.elasticsearch.painless.ScriptImpl.run(ScriptImpl.java:123)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.doExecute(ScriptCondition.java:95)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.execute(ScriptCondition.java:85)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.executeInner(ExecutionService.java:390)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.execute(ExecutionService.java:274)\n\tat org.elasticsearch.xpack.watcher.transport.actions.execute.TransportExecuteWatchAction.masterOperation(TransportExecuteWatchAction.java:136)\n\tat org.elasticsearch.xpack.watcher.transport.actions.execute.TransportExecuteWatchAction.masterOperation(TransportExecuteWatchAction.java:63)\n\tat org.elasticsearch.action.support.master.TransportMasterNodeAction.masterOperation(TransportMasterNodeAction.java:87)\n\tat org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$2.doRun(TransportMasterNodeAction.java:167)\n\tat org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:596)\n\tat org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\tat java.lang.Thread.run(Thread.java:745)\n"
},
"script_stack": [
"return (ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.0.doc_count / ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.1.doc_count) > 0.1;",
" ^---- HERE"
],
"script": "return (ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.0.doc_count / ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.1.doc_count) > 0.1;",
"lang": "painless",
"stack_trace": "ScriptException[runtime error]; nested: IllegalArgumentException[Illegal list shortcut value [pages].];\n\tat org.elasticsearch.painless.ScriptImpl.convertToScriptException(ScriptImpl.java:181)\n\tat org.elasticsearch.painless.ScriptImpl.run(ScriptImpl.java:128)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.doExecute(ScriptCondition.java:95)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.execute(ScriptCondition.java:85)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.executeInner(ExecutionService.java:390)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.execute(ExecutionService.java:274)\n\tat org.elasticsearch.xpack.watcher.transport.actions.execute.TransportExecuteWatchAction.masterOperation(TransportExecuteWatchAction.java:136)\n\tat org.elasticsearch.xpack.watcher.transport.actions.execute.TransportExecuteWatchAction.masterOperation(TransportExecuteWatchAction.java:63)\n\tat org.elasticsearch.action.support.master.TransportMasterNodeAction.masterOperation(TransportMasterNodeAction.java:87)\n\tat org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$2.doRun(TransportMasterNodeAction.java:167)\n\tat org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:596)\n\tat org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\tat java.lang.Thread.run(Thread.java:745)\nCaused by: java.lang.IllegalArgumentException: Illegal list shortcut value [pages].\n\tat org.elasticsearch.painless.Def.lookupGetter(Def.java:458)\n\tat org.elasticsearch.painless.DefBootstrap$PIC.lookup(DefBootstrap.java:147)\n\tat org.elasticsearch.painless.DefBootstrap$PIC.fallback(DefBootstrap.java:201)\n\tat org.elasticsearch.painless.Executable$Script.execute(return (ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.0.doc_count / ctx.payload.secondchain.aggregations.sites.buckets.pages.buckets.countries.buckets.1.doc_count) > 0.1; @ <inline scri ...:67)\n\tat org.elasticsearch.painless.ScriptImpl.run(ScriptImpl.java:123)\n\t... 13 more\n"
}
}
I think that I just need to know how to refer to the sub-buckets using painless' dot notation.
Thank you!
This is hard to tell without an example output of your aggregation. You might want to check out the recently added elvis operator for dereferences in painless though, which prevents NPEs.
--Alex
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.