Hello,
I'm trying to do a chain input in X-Pack Watcher, querying the same index with different filters and aggregating values. I use the results of the aggregation and transform them in a script. However, each aggregation only returns 10 documents/hits.
How can I use more documents? I tried to change the size to a bigger number, but no success.
Thank you.
Can you provide some more details? What does your request body look like? What does the response look like?
Thanks,
Nathan
Hello,
As I explained, I am creating a chain input, first input with data from group "MDMR" and second input with data from group "ECMR". And I want an alert when the key from first group is different from the second group. The problem is, when I'm running the script in actions, since I'm accessing the results of each query in an array, it only appears 10 documents/hits, even trying to increment the size.
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"chain": {
"inputs": [
{
"first": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"monitoring"
],
"types": ,
"body": {
"size": 10000,
"query": {
"bool": {
"must": {
"match_all": {}
},
"filter": {
"bool": {
"must": [
{
"term": {
"group.keyword": "MDMR"
}
}
]
}
}
}
},
"aggs": {
"first_agg": {
"terms": {
"field": "monitoring_date.keyword"
}
},
"aggs": {
"first_value": {
"top_hits": {
"docvalue_fields": [
{
"field": "value",
"format": "use_field_mapping"
}
],
"_source": "value",
"size": 1,
"sort": [
{
"insert_date": {
"order": "desc"
}
}
]
}
}
}
}
}
}
}
}
},
{
"second": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"monitoring"
],
"types": ,
"body": {
"size": 10000,
"query": {
"bool": {
"must": {
"match_all": {}
},
"filter": {
"bool": {
"must": [
{
"term": {
"group.keyword": "ECMR"
}
}
]
}
}
}
},
"aggs": {
"second_agg": {
"terms": {
"field": "monitoring_date.keyword"
}
},
"aggs": {
"second_value": {
"top_hits": {
"docvalue_fields": [
{
"field": "value",
"format": "use_field_mapping"
}
],
"_source": "value",
"size": 1,
"sort": [
{
"insert_date": {
"order": "desc"
}
}
]
}
}
}
}
}
}
}
}
}
]
}
},
"condition": {
"script": {
"source": "return true",
"lang": "painless"
}
},
"actions": {
"my-logging-action": {
"transform": {
"script": {
"source": "def events = ; for(int i=0;i<ctx.payload.first.aggregations.first_agg.buckets.length;i++){for (int a=0;a<ctx.payload.second.aggregations.second_agg.buckets.length;a++){if (ctx.payload.first.aggregations.first_agg.buckets[i].key !== ctx.payload.second.aggregations.second_agg.buckets[a].key){def millis = System.currentTimeMillis(); def event = 'event'; event = ctx.payload.first.aggregations.first_agg.buckets[i].key+'-MDMR:'+ctx.payload.first.aggregations.first_agg.buckets[i].first_value.hits.hits.0.fields.value+'-ECMR:'+ctx.payload.second.aggregations.second_agg.buckets[a].second_value.hits.hits.0.fields.value; events.add(event); }}} return events;",
"lang": "painless"
}
},
"logging": {
"level": "info",
"text": "xxx"
}
}
}
}
The response shows for each query only 10 aggregated keys and value.
Any idea?
Thank you.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.