Need to extract doc_count value from each key and do a watcher condition ctx.payload.aggregations.by_store.buckets_doc_count > 2.
The Watcher alert i am using is below
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"store-logs"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"match_phrase": {
"xml.RESULT_CODE.keyword": "59026"
}
}
],
"must": {
"range": {
"@timestamp": {
"gte": "now-24h",
"lt": "now"
}
}
}
}
},
"aggs": {
"by_store": {
"terms": {
"field": "StoreNumber.keyword"
}
}
},
"size": 0
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.by_store.buckets_doc_count": {
"gte": 3
}
}
},
This is the response i am getting after simulation, i need to filter out based on condition with hits or doc_count > 3
{
"watch_id": "_inlined_",
"node": "2LFKLB-DRQKNluoCv6V2kQ",
"state": "execution_not_needed",
"user": "bb09596",
"status": {
"state": {
"active": true,
"timestamp": "2022-07-13T19:58:20.058Z"
},
"last_checked": "2022-07-13T19:58:20.058Z",
"actions": {
"email_administrator": {
"ack": {
"timestamp": "2022-07-13T19:58:20.058Z",
"state": "awaits_successful_execution"
}
}
},
"execution_state": "execution_not_needed",
"version": -1
},
"trigger_event": {
"type": "manual",
"triggered_time": "2022-07-13T19:58:20.058Z",
"manual": {
"schedule": {
"scheduled_time": "2022-07-13T19:58:20.058Z"
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"store-logs"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"match_phrase": {
"xml.RESULT_CODE.keyword": "59026"
}
}
],
"must": {
"range": {
"@timestamp": {
"gte": "now-24h",
"lt": "now"
}
}
}
}
},
"aggs": {
"by_store": {
"terms": {
"field": "StoreNumber.keyword"
}
}
},
"size": 0
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.by_store.buckets_doc_count": {
"gte": 3
}
}
},
"metadata": {
"name": "Alert for store logs COMM ERROR",
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2022-07-13T19:58:20.058Z",
"execution_duration": 7869,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 22,
"failed": 0,
"successful": 22,
"skipped": 0
},
"hits": {
"hits": [],
"total": 14,
"max_score": null
},
"took": 7868,
"timed_out": false,
"aggregations": {
"by_store": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 1,
"buckets": [
{
"doc_count": 2,
"key": "0155"
},
{
"doc_count": 2,
"key": "0234"
},
{
"doc_count": 2,
"key": "0247"
},
{
"doc_count": 1,
"key": "0033"
},
{
"doc_count": 1,
"key": "0378"
},
{
"doc_count": 1,
"key": "0385"
},
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.