Alert condition data structer plus float result for math operation

guy · January 29, 2021, 2:33pm

See the image, I’m trying to define an alert such that a certain percentage will trigger the alert.
Two issues:

how to take the ERROR/SUCCESS doc from the list, I tried with (buckets{key:SUCCESS} which does not work)
the divide operation round the numbers like integer, I need a float number. (0.01)

Result example

{
“_shards”: {
“total”: 2080,
“failed”: 0,
“successful”: 2080,
“skipped”: 2030
},
“hits”: {
“hits”: ,
“total”: {
“value”: 3750,
“relation”: “eq”
},
“max_score”: null
},
“took”: 51,
“timed_out”: false,
“aggregations”: {
“2”: {
“doc_count”: 3750,
“buckets”: [
{
“score”: 0.0717097145653337,
“doc_count”: 3723,
“bg_count”: 202611071,
“key”: “SUCCESS”
},
{
“score”: 0.008978920146330968,
“doc_count”: 4,
“bg_count”: 24784,
“key”: “PARTIAL_SUCCESS”
},
{
“score”: 0.0020247561180953572,
“doc_count”: 22,
“bg_count”: 954370,
“key”: “ERROR”
}
],
“bg_count”: 218821134
}
}
}

Alert condition
ctx.results[0].aggregations.2.buckets{key:SUCCESS}.doc_count / ctx.results[0].hits.total.value == 0

ylasri · January 29, 2021, 2:45pm

You need to loop over buckets array and find key you want and get value for calculation, something like this may help

double score_sucess = 1.00;
double score_error = 1.00;
double score = 1.00;
for (int i = 0; i < ctx.results[0].aggregations.flag.buckets.length; i++) {

  if (ctx.results[0].aggregations.flag.buckets[i].key == "N") {
    score_sucess = ctx.results[0].aggregations.flag.buckets[i].doc_count * 1.00 / ctx.results[0].hits.total.value * 1.00;
  } else if (ctx.results[0].aggregations.flag.buckets[i].key == "Y") {
    score_error = ctx.results[0].aggregations.flag.buckets[i].doc_count * 1.00 / ctx.results[0].hits.total.value * 1.00;
  } else {
        score_sucess = 10;
        score_error = 10;
        score = 15;
    }
score = score_sucess / score_error;

}
return score > 1

guy · January 29, 2021, 6:32pm

ylasri:

double score_sucess = 1.00;
double score_error = 1.00;
double score = 1.00;
for (int i = 0; i < ctx.results[0].aggregations.flag.buckets.length; i++) {

  if (ctx.results[0].aggregations.flag.buckets[i].key == "N") {
    score_sucess = ctx.results[0].aggregations.flag.buckets[i].doc_count * 1.00 / ctx.results[0].hits.total.value * 1.00;
  } else if (ctx.results[0].aggregations.flag.buckets[i].key == "Y") {
    score_error = ctx.results[0].aggregations.flag.buckets[i].doc_count * 1.00 / ctx.results[0].hits.total.value * 1.00;
  } else {
        score_sucess = 10;
        score_error = 10;
        score = 15;
    }
score = score_sucess / score_error;

}
return score > 1

Thanks Yasin
It is good.

Though I would like to test the script and be able to print more than true/false, can I play with it on any tool?
Which programing language is it, when we write
“aggregations”: {
“2”: {
Then aggregations.2 is working, not familiar with this type of code.

ylasri · January 29, 2021, 7:16pm

This is the painless, something specific to Elasticsearch
The trigger function should return a boolean (True/False) to decide if to trigg an action or not
If you would like to ouput more informations, you will need to do that at the aggregation level (the query input of the monitor)

Topic		Replies	Views
Round value in alert message Alerting configure	1	678	October 11, 2022
How to iterate through Alert buckets Alerting	3	536	November 4, 2020
Trigger Condition Math Precision Alerting troubleshoot	0	321	January 12, 2023
Trigger on bucket count Alerting	1	1354	February 7, 2023
Alerting based on a percentage increase Alerting	1	571	February 7, 2023

Alert condition data structer plus float result for math operation

Related topics