Unique Field in the watcher action

Johnnie843 · May 13, 2019, 8:21pm

I'm trying to get the unique values of a certain field in my watch. Is this possible?

For example I want to get the unique log_module in the following query and put it in my message:

[quote="Johnnie843, post:1, topic:180879, full:true"]
I'm trying to get the unique values of a certain field in my watch. Is this possible?

For example I want to get the unique messages in the following query and put it in my alert:

 "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "(log_module:gmsg) AND (log_message:\" is not reachable\") AND (log_message:Text\\:obt???)"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-7d"
                    }
                  }
                }
              ]
            }
          },

spinscale · May 22, 2019, 8:15am

You need to use a terms aggregation for that.

hope this helps!

--Alex

system · June 19, 2019, 8:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Querying log data to get unique error messages Elasticsearch	1	688	July 24, 2020
Kibana watcher alert error Elasticsearch elastic-stack-alerting	2	615	August 29, 2019
How to check sum of unique events in watcher & list those unique events in output action using wathers Elasticsearch elastic-stack-alerting	4	653	March 7, 2018
How to list one records when there are 4 similar records with no unique field in ELK Elasticsearch elastic-stack-alerting	4	298	January 31, 2023
Using Bucket Fields in Watcher Elasticsearch elastic-stack-alerting	5	431	September 16, 2019

Unique Field in the watcher action

Related topics