Hi I am currently facing some problems when trying to create an alert. My use case is that I want to calculate a ratio for each country (field on my index) and get notified for each country that this ratio is less than 99%. Below is my Watch JSON:
{
"trigger": {
"schedule": {
"hourly": {
"minute": [
15,
45
]
}
}
},
"input": {
"chain": {
"inputs": [
{
"acceptable": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [],
"types": [],
"body": {
"query": {
"query_string": {
"query": "topic:(event_tts_* OR event_sip_) AND d.direction:out AND d.reason:(0, 200, 404, 484, 486, 600, 603, 606, 610) AND @timestamp:[now-60m TO now-3m]"
}
}
}
},
"extract": [
"hits.total"
]
}
}
},
{
"denom": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [],
"types": [],
"body": {
"query": {
"query_string": {
"query": "topic:(event_tts_ OR event_sip_*) AND d.direction:out AND exists:d.reason AND !d.reason:202 AND @timestamp:[now-60m TO now-3m]"
}
}
}
},
"extract": [
"hits.total"
]
}
}
}
]
}
},
"condition": {
"script": {
"source": "return (params.threshold * ctx.payload.denom.hits.total) > ctx.payload.acceptable.hits.total",
"lang": "painless",
"params": {
"threshold": 0.99
}
}
},
"actions": {
"email_admin": {
"email": {
"profile": "standard",
"to": [
"random@randommail.com"
],
"subject": "kibanaAlertTest",
"body": {
"text": "Found {{ctx.payload.acceptable.hits.total}} acceptable reasons hits and {{ctx.payload.denom.hits.total}} hits for the tts and sip topics in the last hour."
}
}
}
}
}.
I understand from the documentation that I will need to use a term aggregation on the field country. In a simple input the aggregation would be in the search body request. But where should it be in a chain input?