Good afternoon, I am trying to build an elastic watcher query using nested aggs, that feed the variables into a bucket script that will subtract one field from another, then put that value into a watcher on a threashold. I've done plenty of watchers on standard searches on logs which work great. But this is a bit of a different beast to me.
I am hoping that I am doing something syntactically wrong on my first step of building the nested agg.
I read through this as my "yellow brick road"
https://www.elastic.co/guide/en/elasticsearch/reference/7.5/search-aggregations-pipeline.html
When I run this, I get all the topics back:
GET /metricbeat-7.4.0-2020.01.31-000051/_search
{
"size": 0,
"aggs": {
"group_by_topic": {
"terms": {
"field": "kafka.topic.name",
"size": 50
}
}
}
}
}
But when I run this in dev tools I get back object not found exception. I checked to make sure that the agg was nested, but it's not working out too well.
GET /metricbeat-7.4.0-2020.01.31-000051/_search
{
"size": 0,
"aggs": {
"group_by_topic": {
"terms": {
"field": "kafka.topic.name",
"size": 50
}
},
"aggs": {
"sum_partition_offset_newest":{ "sum": { "field": "kafka.partition.offset.newest" }
}
}
}
}
"type": "named_object_not_found_exception",
"reason": "[12:37] unable to parse BaseAggregationBuilder with name
[sum_partition_offset_newest]: parser not found"