I have a DSL query which finds the latest record grouped by a field Module and if that latest record has another field unexpected_state set to true it matches. I have the rule set for "FOR THE LAST 5 minutes" and it runs every minute.
When I send log entry into the index that triggers the rule it functions no problem. When I send a log entry after that but before the 5 minutes have elapsed into the index that should recover the query (the latest entry unexpected_state is now false) the rule does not recover the alert. If I wait beyond the 5 minutes it recovers the rule not matter what new logs I have sent in.
How do I get this to work so it Recovers when a record is created where the proper field is false?
These are the settings for the Rule:
This is the DSL for the Rule:
{
"query":{
"term" : {"environment_type": "PROD"}
},
"size": 0,
"aggs": {
"modules": {
"terms": {
"field": "Module",
"size": 1000
},
"aggs": {
"latest_record": {
"top_hits": {
"sort": [
{
"sys_time": {
"order": "desc"
}
}
],
"_source" : { "includes": ["sys_time", "unexpected_state", "Module"]},
"size": 1
}
},
"unexpected_state": {
"bucket_selector": {
"buckets_path": {
"latestState": "latest_record[_source.unexpected_state]"
},
"script": "params.latestState > 0"
}
}
}
}
}
}
I appreciate any help on this, thank you! --Jeff