Hi
I am looking to create a watcher alert to trigger if the value within a bucket is above a certain threshold. However the value will vary as it is within a bucket within a bucket. The value is shown in (ctx.payload.per_15m.buckets.total_mount_points)
I've attached the watcher rule below but at the moment it is returning a null value, I assume as the value varies. Can anyone help in how I would pull the differing values for total_mount_points out of the rule correctly?
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"metricbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"match_phrase": {
"event.dataset": "system.filesystem"
}
},
{
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-1h",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
],
"should": [],
"must_not": []
}
},
"aggs": {
"host_name": {
"terms": {
"field": "host.name",
"size": 100
},
"aggs": {
"pull_tag": {
"terms": {
"field": "tags",
"size": 1
},
"aggs": {
"per_15m": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "15m"
},
"aggs": {
"total_mount_points": {
"cardinality": {
"field": "system.filesystem.mount_point"
}
},
"card": {
"cumulative_cardinality": {
"buckets_path": "total_mount_points"
}
}
}
}
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.per_15m.buckets.total_mount_points": {
"gte": 3
}
}
}
}