In my case i need to create an alert if the server does not send data for the last hour.
This task cannot be solved with one bucket, because if the server does not send data, then it will not get into the aggregation.
I am using two bucket: terms and date_range
{
"size" : 0,
"query" : {
"bool" : {
"filter" : [
{
"range" : {
"@timestamp" : {
"from" : "now-6h",
"to" : "now"
}
}
}
]
}
},
"aggs": {
"group_by_server": {
"terms": {"field": "server"},
"aggs": {
"group_time": {
"date_range": {
"field": "@timestamp",
"ranges": [
{
"key": "last_hour",
"from": "now-1h",
"to" : "now"
}
]
}
}
}
}
}
}
In the query I take data for 6 hours and aggregation for the last hour. This allows you to identify the situation when the data stopped coming.
It worked, but I dont understand how create trigger on “doc_count” into “group_time” aggregation
if i create something like this:
"bucket_selector_ext": {
"buckets_path": {
"doc_count": "_count"
},
"script": {
"source": "params.doc_count <0 "
},
"parent_bucket_path": "group_by_server"
}
Trigger will never fire because it works with “group_by_server” aggregation
Something like this:
"buckets_path": { "doc_count": "group_time.doc_count" },
or
"buckets_path": { "doc_count": "group_time.0.doc_count" },
or
"buckets_path": { "doc_count": "group_time.buckets.0.doc_count" },
or
"buckets_path": { "doc_count": "group_time.buckets(0).doc_count" },
etc.
Not worked by error “value must not be null”
If added in aggregation “keyed”
...
"group_time": {
"date_range": {
"field": "@timestamp",
"ranges": [
{
"key": "last_hour",
"from": "now-1h",
"to" : "now"
}
],"keyed": true
}
}
...
And used in trigger
"buckets_path": { "doc_count": "group_time.buckets.last_hour.doc_count" },
Also does not work and return error “value must not be null”
Please help me understand what am i doing wrong.