Watcher trigger on sub-bucket count

uklipse · March 25, 2019, 6:56pm

I am trying to create a watch that will trigger on a couple aggregations. Below is the results of my query and I have essentially two buckets. I'm looking to trigger on the unique count of the sub-buckets in this case is the username buckets count.

I'm trying to react on the uppercase BUCKETS portion which is the count of username buckets within the first workstation bucket. I'm thinking something like this: ctx.payload.aggregations.workstation.buckets.0.username.buckets.doc_count

Any ideas?

  "aggregations": {
    "workstation": {
      "doc_count_error_upper_bound": 2,
      "sum_other_doc_count": 73,
      "buckets": [
        {
          "doc_count": 103,
          "key": "workstation1",
          "username": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
             "BUCKETS": [
              {
                "doc_count": 97,
                "key": "user1"
              },
              {
                "doc_count": 6,
                "key": "user2"
              }
            ]
          }
        },
        {
          "doc_count": 12,
          "key": "workstation2",
          "username": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "doc_count": 9,
                "key": "user3"
              },
              {
                "doc_count": 3,
                "key": "user2"
              }
            ]
          }
        },
        {
          "doc_count": 11,
          "key": "-",
          "username": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "doc_count": 11,
                "key": "user3"
              }
            ]
          }
        }
      ]
    }
  }

uklipse · March 26, 2019, 12:53am

@spinscale - Alexander, I've seen where you have helped others and wondering if you can assist me. I'm trying to do a comparison on the bucket count of a sub-aggregation. When I set my compare condition to this ctx.payload.aggregations.workstation.buckets.0.username.buckets then I get the results below. It lists two values user5 and user6 and I'm looking to create a comparison if the number of keys (in this case 2 - user5 and user6) are greater than 20.

I've tried different things after buckets but they come back as null. I'm trying to look for a count greater than 20 different users from a single workstation.

Any help would be greatly appreciated

"compare": {
  "resolved_values": {
    "ctx.payload.aggregations.workstation.buckets.0.username.buckets": [
      {
        "doc_count": 33,
        "key": "user5"
      },
      {
        "doc_count": 12,
        "key": "user6"
      }
    ]
  }
}

spinscale · March 26, 2019, 12:35pm

please refrain from pinging people directly, especially only 18h after creating the initial post. This forum does not come with an SLA attached to it.

For your use case: Do not use the compare condition but rather a script condition, which allows you to do this kind of comparison.

system · April 23, 2019, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher sub-aggregation count alert Elasticsearch	3	822	November 9, 2017
Watcher - display for each bucket, its corresponding sub buckets results Elasticsearch elastic-stack-alerting	1	368	May 6, 2021
Watcher - Write painless script for looping aggregated buckets Elasticsearch elastic-stack-alerting , painless	3	1073	January 18, 2023
Comparing the last aggregated sub bucket count in the watcher condition Kibana elastic-stack-alerting	2	290	July 27, 2021
Mathematical operations on individual bucket elemenst Elasticsearch	8	1888	March 10, 2017

Watcher trigger on sub-bucket count

Related topics