Unique Field in the watcher action

Johnnie843 · May 13, 2019, 8:21pm

I'm trying to get the unique values of a certain field in my watch. Is this possible?

For example I want to get the unique log_module in the following query and put it in my message:

[quote="Johnnie843, post:1, topic:180879, full:true"]
I'm trying to get the unique values of a certain field in my watch. Is this possible?

For example I want to get the unique messages in the following query and put it in my alert:

 "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "(log_module:gmsg) AND (log_message:\" is not reachable\") AND (log_message:Text\\:obt???)"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-7d"
                    }
                  }
                }
              ]
            }
          },

spinscale · May 22, 2019, 8:15am

You need to use a terms aggregation for that.

hope this helps!

--Alex

system · June 19, 2019, 8:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.