Hi,
Following is my extraction query:
{
"size": 0,
"query": {
"terms": {
"eventId": ["4624", "4625", "4740"]
}
},
"aggs": {
"by_agent": {
"terms": {
"field": "agent_id.keyword",
"size": 100
},
"aggs": {
"by_eventId": {
"terms": {
"field": "eventId.keyword",
"size": 100
}
}
}
}
}
}
and I am getting result:
{
"_shards": {
"total": 1,
"failed": 0,
"successful": 1,
"skipped": 0
},
"hits": {
"hits": [],
"total": {
"value": 15,
"relation": "eq"
},
"max_score": null
},
"took": 5,
"timed_out": false,
"aggregations": {
"by_agent": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 9,
"by_eventId": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 5,
"key": "4740"
},
{
"doc_count": 2,
"key": "4624"
},
{
"doc_count": 2,
"key": "4625"
}
]
},
"key": "000"
},
{
"doc_count": 6,
"by_eventId": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 3,
"key": "4740"
},
{
"doc_count": 2,
"key": "4625"
},
{
"doc_count": 1,
"key": "4624"
}
]
},
"key": "007"
}
]
}
}
}
I want to trigger an alert for each document (with 000 and 007)
if (key==4740 && doc_count > 1) && (key==4625&& doc_count > 2) && (key==4624&& doc_count > 3)
return true // raise an alert
I tried various ways to achieve this, but nothing is working.
I always get “Empty list doesn’t contain element at index 0.”
Can someone please help me for this?