Hi,
I've created a query_template that gets the average number of alerts per day, but it's not returning the avg_count result to logstash. I done this before when the field exists but not with a custom result i.e not a field.
How do I return the avg_count valuse back to logstash?
The query does return avg_count when tested in Dev Tools.
Logstash extract:
if [almcustomer] =~ ".+" {
elasticsearch {
hosts => "http://127.0.0.1:9200"
user => "user"
password => "password}"
index => ["acsc-main-alerts-*"]
query_template => "/etc/logstash/conf.d/query_templates/query_average_alerts_per_day.json"
result_size => 1
fields => { "[avg_count]" => "average_alerts_per_day" }
}
}
Query template (query_average_alerts_per_day.json):
{
"query": {
"bool": {
"must": ,
"filter":
}
},
"aggs": {
"groupBy": {
"terms": {
"field": "almcustomer"
},
"aggs": {
"docs_per_day": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "1d"
}
},
"avg_count": {
"avg_bucket": {
"buckets_path": "docs_per_day>_count"
}
}
}
}
}
}
Dev Tools Result:
{
"took" : 0,
"timed_out" : false,
"_shards" : {
"total" : 2,
"successful" : 2,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 310,
"relation" : "eq"
},
"max_score" : null,
"hits" :
},
"aggregations" : {
"groupBy" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "ALM",
"doc_count" : 310,
"docs_per_day" : {
"buckets" : [
{
"key_as_string" : "2021-07-08T00:00:00.000Z",
"key" : 1625702400000,
"doc_count" : 6
},
{
"key_as_string" : "2021-07-09T00:00:00.000Z",
"key" : 1625788800000,
"doc_count" : 304
}
]
},
"avg_count" : {
"value" : 155.0
}
}
]
}
}
}
many thanks
Martin