I've created an alert that returns the results I'm looking for, but I want to return only one event per unique id field. I've tried a couple different things, but neither of them have worked for me so far.
Using Query DSL I've tried using 'collapse':
I've also tried using a 'top_hits' aggregation:
The results I'm getting are:
But I'd like them to be:
Am I doing something wrong or is this not possible using Query DSL in alerts?