Multiple bucket filter

Hi,
Is there a way to use multiple conditions in a stream filter?
I tried :

transform": {
    "script": {
      "source": """
            def docs = [];
            def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList());
            def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList());
            def hits = ctx.payload.aggregations.event_types.buckets.add.users.buckets;
            for (hit in hits){
              def document = [
                '@timestamp':ctx.execution_time,
                'origin host': ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(o -> o.host.ip).filter(o -> removes.contains(o)).filter(o -> logins.contains(o)).toArray(), 
                'usernames' :  ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(u -> u.key).filter(u -> removes.contains(u)).filter(u -> logins.contains(u)).toArray()
                ];
                docs.add(document);
            }
            return ['_doc':docs];
          """,
      "lang": "painless"
    }

But I got :

 "transform" : {
        "type" : "script",
        "status" : "failure",
        "reason" : "runtime error",
        "error" : {
          "root_cause" : [
            {
              "type" : "script_exception",
              "reason" : "runtime error",
              "script_stack" : [
                "o -> o.host.ip).filter(",
                "           ^---- HERE"
              ],

please share the full exception and also the search response, otherwise it is hard to debug further.

Hi Alex,
Here are my watcher config and full exception. If you need any additional information let me know.

Your script states

ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(o -> o.host.ip)

however the payload (the search response) does not contain any host/ip field? Where should this come from?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.