Hello @Joey_Visbeen
We can use the chain input job without transform , the action part needs to be updated as per your requirement along with the time range as it was used as 5h incase below code is as per the requirement (script part generated using LLM) -
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"chain": {
"inputs": [
{
"first": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"index*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"terms": {
"host.hostname": [
"name",
"name1",
"name2",
"name3"
]
}
},
{
"range": {
"@timestamp": {
"gte": "now-5h",
"lte": "now"
}
}
}
]
}
},
"aggs": {
"by_hostname": {
"terms": {
"field": "host.hostname",
"size": 10
}
}
}
}
}
}
}
}
]
}
},
"condition": {
"script": {
"source": """
def expected = ['name','name1','name2','name3'];
if (ctx.payload.first == null || ctx.payload.first.aggregations == null) {
return true;
}
def buckets = ctx.payload.first.aggregations.by_hostname.buckets;
def seen = [];
for (def b : buckets) {
seen.add(b.key);
}
for (def h : expected) {
if (!seen.contains(h)) {
return true;
}
}
return false;
""",
"lang": "painless"
}
},
"actions": {
"index_alert": {
"transform": {
"script": {
"source": """
def expected = ['name','name1','name2','name3'];
def seen = [];
if (ctx.payload.first != null && ctx.payload.first.aggregations != null) {
for (def b : ctx.payload.first.aggregations.by_hostname.buckets) {
seen.add(b.key);
}
}
def missing = [];
for (def h : expected) {
if (!seen.contains(h)) {
missing.add(h);
}
}
return [
'@timestamp': ctx.execution_time,
'missing_hosts': missing,
'seen_hosts': seen,
'watch_id': ctx.watch_id
];
""",
"lang": "painless"
}
},
"index": {
"index": "abc"
}
}
}
}
output :
"seen_hosts": [
"name",
"name1",
"name2"
],
"missing_hosts": [
"name3"
]
}
},
Thanks!!