Hi there,
I've a query result like this :
"aggregations": {
"backend": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 92,
"client_ip": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 92,
"key": "12.12.11.10"
}
]
},
"key": "ws1r"
},
{
"doc_count": 56,
"client_ip": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 56,
"key": "14.225.114.15"
}
]
},
"key": "ws14"
},
{
"doc_count": 52,
"client_ip": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 40,
"key": "77.27.105.10"
},
{
"doc_count": 12,
"key": "100.150.105.10"
}
]
},
"key": "web"
}
]
}
}
I'd like to display for each backend bucket, its corresponding sub buckets result, but I can't find how to do this, the best I can have is always the first sub aggreation result.
I have
ws1r: 92 , including 12.12.11.10 : 92
ws14: 56 , including 12.12.11.10 : 92
web: 52 , including 12.12.11.10 : 92
I'd like to have
ws1r_camper: 92 , including 12.12.11.10 : 92
ws14: 56 , including 14.225.114.15 : 56
web: 52 , including 77.27.105.10 : 40 ; 100.150.105.10 : 12
Below my watcher :
{
"trigger" : {
"schedule" : {
"interval": "12h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"haproxy*"
],
"rest_total_hits_as_int": true,
"body": {
"aggs": {
"backend": {
"terms": {
"field": "backend_name.keyword"
},
"aggs": {
"client_ip": {
"terms": {
"field": "client_ip",
"order": {
"_count": "desc"
},
"size": 3
}
}
}
}
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"match": {
"http_status_code": 429
}
}
],
"minimum_should_match": 1
}
},
{
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-12h",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
},
"sort": [{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}],
"size": 15
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"webhook_prod": {
"webhook": {
"scheme": "https",
"host": "discordapp.com",
"port": 443,
"method": "post",
"path": "api/webhooks/xxx",
"params": {},
"headers": {},
"body": """{ "content": "{{ctx.metadata.name}} alert - There are {{ctx.payload.hits.total}} errors 429 on last 12 hours on haproxy backends:\n{{#ctx.payload.aggregations.backend.buckets}}{{key}}: {{doc_count}} , including {{#ctx.payload.aggregations.backend.buckets.0.client_ip.buckets}}{{key}} : {{doc_count}} - {{/ctx.payload.aggregations.backend.buckets.0.client_ip.buckets}}\n{{/ctx.payload.aggregations.backend.buckets}}}"""
}
}
}
}
How can I loop with {{ctx.payload.aggregations.backend.buckets.0.client_ip.buckets}, I know 0 is not good but I can't find how to do this.
best regards
thomas