I am trying to apply a filter in a Transform Script and map the results to a new list. I am able to successfully do this when only using 1 aggregation. However, I am not having any luck using a second aggregation that exists inside the first one. The specific part of the script that isn't working is when I try to map values to new fields. Are there any examples of how to apply filters in a watcher that is using multiple aggregations ?
"transform": {
"script": {
"source": "ctx.payload.aggregations.image_agg.buckets.stream().filter(a -> a.parentimage_agg.buckets.stream().filter(b -> b.doc_count > ctx.metadata.condition_count)).map(b -> ['image':b.key,'count':b.doc_count]).collect(Collectors.toList());",
"lang": "painless"
}
}
I am also including a snippet of the result output. Ultimately, I am trying to alert only on specific events using doc_count in parentimage_agg.buckets and want to map that doc_count to a list, as well as the key from both aggregations.
"aggregations": {
"image_agg": {
"doc_count_error_upper_bound": 39,
"sum_other_doc_count": 1882,
"buckets": [
{
"doc_count": 12830,
"parentimage_agg": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 12830,
"key": "C:\\Program Files\\Amazon\\SSM\\amazon-ssm-agent.exe"
}
]
},
"key": "C:\\Windows\\System32\\wbem\\WMIC.exe"
}