Will the "collapse" clause work in Kibana's Alert type "Query DSL"

jayesh.patel · May 30, 2023, 9:53pm

Hi, In kibana 8.6, I am trying to create and Alert of type "Query DSL". In the DSL query, I wanted to pick the lastest document, which breached the filesystem used percentage great than 80% for each cloud.instance. Seems like Elasticsearch provides the "collapse" clause, which can be used for grouping and picking the lastest document using sort.
Will the following DSL query work in Kibana's Alert type "Quey DSL"? Meaning.. Will the "collapse" clause work in Kibana's Alert type "Query DSL"?

 {
  "size": 500,
  "query": {
    "bool" : {
      "must" : {
        "range" : {
		  "system.filesystem.used.pct" : { "gte" : 80 }
		}
      },
      "must_not" : {
        "term" : { "system.filesystem.mount_point" : "/boot" }
      },
	}
  },
  "collapse": {
    "field": "cloud.instance.name",
	"inner_hits": {
	  "name": "latest",
	  "size": 1,
	  "sort": [{"@timestamp": {"order": "desc"}}]
	}
  }
}

system · June 27, 2023, 9:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using collapse DSL queries in Kibana? Kibana elastic-stack-graph	2	446	April 24, 2023
Does Search Alert in 7.12 include query? Kibana	5	232	May 6, 2021
DSL query in Kibana Rules does not work the same as from Dev Tools Kibana elastic-stack-alerting	10	597	April 19, 2023
Kibana alert Kibana elastic-stack-alerting	1	293	August 9, 2022
Kibana alerting mechanism Kibana	2	260	August 12, 2022

Will the "collapse" clause work in Kibana's Alert type "Query DSL"

Related topics