Hi, I'm trying to develop an elastic search watcher that includes multiple aggregations. I want to group the documents based on the accounts and for each account check if a series of consecutive "failure" attempts in 15 min interval has occurred and also if that is followed by a single or more "success" attempts.
I think the way to do this is using multiple aggregations. Please let me know your thoughts if you are aware of a solution! I am confused as I am new to Elasticsearch.
I receive this error:
"messages": [
"failed to execute watch input"
and this is the explanation
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "request does not support [trigger]",
"line": 2,
"col": 3
}
],
"type": "parsing_exception",
"reason": "request does not support [trigger]",
"line": 2,
"col": 3
},
"status": 400
}
This is my code:
{
"trigger": {
"schedule": {
"interval": "50m"
}
},
"input": {
"search": {
"request": {
"indices": "",
"body": {
"query": {
"wildcard": {
"account_name.keyword": ""
}
},
"aggregations": {
"accounts": {
"terms": {
"field": "accountname.keyword"
}
},
"aggregations": {
"failure": {
"terms": {
"field": "FAILURE",
"size": 2
}
},
"by_hour": {
"date_histogram": {
"field": "date",
"interval": "15m"
},
"aggregations": {
"success": {
"terms": {
"field": "SUCCESS"
}
}
}
}}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.accounts.buckets.0.doc_count": {
"gt": 2
}
}
},
"actions": {
"send_email": {
"email": {
"to": "",
"subject": "",
"body": "",
"attachments": {
"attached_data": {
"data": {
"format": "json"
}
}
},
"priority": "high"
}
}
}
}
Thank you