Hello
I am ingesting logs from different servers into elastic and want to be alerted when a server suddenly stops sending data.
For this I have come up with this aggregation:
GET .xxxt*/_search?size=0
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-31d"
}
}
}
]
}
},
"aggs": {
"hostnames": {
"terms": {
"field": "server",
"size": 10
},
"aggs": {
"docs_per_5m": {
"date_range": {
"field": "@timestamp",
"ranges": [
{
"to": "now"
},
{
"from": "now-5m"
}
]
},
"aggs": {
"last_bucket": {
"bucket_sort": {
"sort": [
{
"_key": {
"order": "desc"
}
}
],
"size": 1,
"gap_policy": "insert_zeros"
}
}
}
}
}
}
}
}
This yields the following output:
"aggregations": {
"hostnames": {
...................
"buckets": [
{
"key": "server1",
"doc_count": 18684883,
"docs_per_5m": {
"buckets": [
{
"key": "2023-04-14T09:28:04.900Z-*",
"from": 1681464484900,
"from_as_string": "2023-04-14T09:28:04.900Z",
"doc_count": 2128
}
]
}
},
{
"key": "server2",
"doc_count": 761066,
"docs_per_5m": {
"buckets": [
{
............
"doc_count": 47
}
]
}
},
{
"key": "server3",
"doc_count": 66066,
"docs_per_5m": {
"buckets": [
{
................................
"doc_count": 7
}
]
}
},
{
"key": "server4",
"doc_count": 14,
"docs_per_5m": {
"buckets": [
{
.....................",
"doc_count": 0
}
]
}
}
]
}
}
But now I only want to have the buckets with "doc_count" : 0
Since I want to use it for a watcher that alerts when there is a server with 0 documents for the last 5 minutes.
I am getting frustrated 