Hey everyone, after a long winter I'm back to using Elastic stuff.
So, scenario: I have this data table where I get IPs and username count for those IPs. The point is to get notifications for when there are more than one username assigned to the same IP. I thought a {"min_doc_count":2} on advanced JSON input would solve it, but since I'm not counting docs, nothing happens.
I tried Google and browsing around the docs, but couldn't find anything with a similar scenario around. Any tip for me?
You could use an Advanced Threshold alert from Watcher for this.
Something like:
WHEN count() GROUPED OVER top 10000 "ip" IS ABOVE 1 FOR THE LAST 356 days
Ah, Watcher is off-limits for me. Gotta stick to what is open/free.
So, does that mean Kibana has no equivalent for {"min_doc_count":2} for aggregating other fields, instead of the doc count?
(edit) OH I've just seen another thread that I think points to my exact problem... so, it seems I just can't do this at the moment. Thanks anyway for the attention, @Marius_Dragomir!
https://discuss.elastic.co/t/only-show-higher-values-than-x/
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.