Rounding up values in extraction queries

Marius_Kunauskas · September 8, 2022, 10:23am

When setting up an alert and defining by using an extraction query, how do I make the response come out as a rounded value? What is the general syntax and where do I specify this? Example:

{
  "aggs": {
    "2": {
      "avg": {
        "field": "XXX"
      }
    }
  },
  "size": 0,
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    {
      "field": "@timestamp",
      "format": "date_time"
    },
    {
      "field": "timestamp",
      "format": "date_time"
    }
  ],
  "_source": {
    "excludes": []
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2022-09-08T10:41:02.738Z",
              "lte": "2022-09-08T10:56:02.738Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

jsanz · September 9, 2022, 2:14pm

I don't think you can round values from a pure Elasticsearch query, neither from the templating language (Handlebars) used by Kibana to format text strings in actions like email.

In any case, I also don't think you can use aggregations in the Elasticsearch Query alert, according to this statement from this other post by @Patrick_Mueller

The elasticsearch query rule is the other "generic" rule type, but does not yet support aggregations, so I don't think you can use that one either.

Check the rest of the comment for some further advice.

system · October 7, 2022, 2:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.