Hi,
we would like to move from watchers to rules (Rule and connectors section). In particular, in the past, we have defined a watcher that performs the following queries / aggregations:
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "transaction.result : *",
"analyze_wildcard": true
}
},
{
"range": {
"@timestamp": {
"gte": "now-2m",
"lte": "now",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
]
}
},
"aggs": {
"by_hosts": {
"terms": {
"field": "host.name",
"size": 200
},
"aggs": {
"by_app": {
"terms": {
"field": "application.name"
},
"aggs": {
"successes": {
"filter": {
"term": {
"transaction.result": "0"
}
}
},
"by_error": {
"bucket_script": {
"buckets_path": {
"attempts": "_count",
"successes": "successes._count"
},
"script": "1-(params.successes / params.attempts)"
}
}
}
}
}
}
}
}
Queries and aggregations were done over filebeat- * index.
Do you know if there is a way to write the same rule, for example using as rule_type: log threshold? This is because I need to see active alerts in "Observability-->Alerts" section.
The alert should be triggered if the by_error value is greater than: 0.1.
Thanks.
Federica Forti | Elastic Certified Engineer