Alert condition data structer plus float result for math operation

guy · January 29, 2021, 2:33pm

See the image, I’m trying to define an alert such that a certain percentage will trigger the alert.
Two issues:

how to take the ERROR/SUCCESS doc from the list, I tried with (buckets{key:SUCCESS} which does not work)
the divide operation round the numbers like integer, I need a float number. (0.01)

Result example

{
“_shards”: {
“total”: 2080,
“failed”: 0,
“successful”: 2080,
“skipped”: 2030
},
“hits”: {
“hits”: ,
“total”: {
“value”: 3750,
“relation”: “eq”
},
“max_score”: null
},
“took”: 51,
“timed_out”: false,
“aggregations”: {
“2”: {
“doc_count”: 3750,
“buckets”: [
{
“score”: 0.0717097145653337,
“doc_count”: 3723,
“bg_count”: 202611071,
“key”: “SUCCESS”
},
{
“score”: 0.008978920146330968,
“doc_count”: 4,
“bg_count”: 24784,
“key”: “PARTIAL_SUCCESS”
},
{
“score”: 0.0020247561180953572,
“doc_count”: 22,
“bg_count”: 954370,
“key”: “ERROR”
}
],
“bg_count”: 218821134
}
}
}

Alert condition
ctx.results[0].aggregations.2.buckets{key:SUCCESS}.doc_count / ctx.results[0].hits.total.value == 0

ylasri · January 29, 2021, 2:45pm

You need to loop over buckets array and find key you want and get value for calculation, something like this may help

double score_sucess = 1.00;
double score_error = 1.00;
double score = 1.00;
for (int i = 0; i < ctx.results[0].aggregations.flag.buckets.length; i++) {

  if (ctx.results[0].aggregations.flag.buckets[i].key == "N") {
    score_sucess = ctx.results[0].aggregations.flag.buckets[i].doc_count * 1.00 / ctx.results[0].hits.total.value * 1.00;
  } else if (ctx.results[0].aggregations.flag.buckets[i].key == "Y") {
    score_error = ctx.results[0].aggregations.flag.buckets[i].doc_count * 1.00 / ctx.results[0].hits.total.value * 1.00;
  } else {
        score_sucess = 10;
        score_error = 10;
        score = 15;
    }
score = score_sucess / score_error;

}
return score > 1

guy · January 29, 2021, 6:32pm

ylasri:

double score_sucess = 1.00;
double score_error = 1.00;
double score = 1.00;
for (int i = 0; i < ctx.results[0].aggregations.flag.buckets.length; i++) {

  if (ctx.results[0].aggregations.flag.buckets[i].key == "N") {
    score_sucess = ctx.results[0].aggregations.flag.buckets[i].doc_count * 1.00 / ctx.results[0].hits.total.value * 1.00;
  } else if (ctx.results[0].aggregations.flag.buckets[i].key == "Y") {
    score_error = ctx.results[0].aggregations.flag.buckets[i].doc_count * 1.00 / ctx.results[0].hits.total.value * 1.00;
  } else {
        score_sucess = 10;
        score_error = 10;
        score = 15;
    }
score = score_sucess / score_error;

}
return score > 1

Thanks Yasin
It is good.

Though I would like to test the script and be able to print more than true/false, can I play with it on any tool?
Which programing language is it, when we write
“aggregations”: {
“2”: {
Then aggregations.2 is working, not familiar with this type of code.

ylasri · January 29, 2021, 7:16pm

This is the painless, something specific to Elasticsearch
The trigger function should return a boolean (True/False) to decide if to trigg an action or not
If you would like to ouput more informations, you will need to do that at the aggregation level (the query input of the monitor)

Topic		Replies	Views
Round value in alert message Alerting configure	1	567	October 11, 2022
How to iterate through Alert buckets Alerting	3	441	November 4, 2020
Trigger on bucket count Alerting	1	1175	February 7, 2023
Understanding loops and variable index in alerting Alerting	6	938	December 28, 2021
Alerts - group by host/server Alerting	4	1704	February 14, 2024

Alert condition data structer plus float result for math operation

Related Topics