Alert on percentage

Tuckson · August 28, 2019, 8:56am

Hi,

Is it possible to take the count of 2 queries in a certain timeframe, calculate what percentage the one is from the other (let’s say, total nr of requests and number of unsuccessful requests) and then alert on that percentage?.

So basically I take a timeperiod, let’s say 5 mins. I count the nr. of documents and I count a subset of that. Then the percentage this subset is of the total is calculated and I alert if this exceeds a certain treshold. Hope I make clear what I intent to.

Have been looking at the kibana with some sample data, but it feels rather limited, so I suppose I need some workaround on this (Am not very familiair with kibana/ELK internals yet)?

THIA

Tuckson · September 27, 2019, 11:03am

Nobody? Would really appreciate some replies?

lucaswin-amzn · October 29, 2019, 6:55pm

Hi @Tuckson,

This seems to be more a generic Elasticsearch DSL question than an alerting question. But here is my take:

In your response you would like to have 2 buckets, one for total number of requests and one for failed requests. You can do this by using a terms aggregation query.

If you store response code as a keyword for example you could do this:

{
    "aggs" : {
        "responses" : {
            "terms" : { "field" : "response_code" } 
        }
    }
}

This will give you something like:

{
    ...
    "aggregations" : {
        "responses" : {
            "buckets" : [ 
                {
                    "key" : "200",
                    "doc_count" : 6
                },
                {
                    "key" : "403",
                    "doc_count" : 3
                },
                {
                    "key" : "503",
                    "doc_count" : 2
                }
            ]
        }
    }
}

From here you can then use a painless trigger script to get a percentage and trigger based on a threshold.

Or you could use something like the percentiles aggregation. Which would look like this:

{
    "size": 0,
    "aggs" : {
        "responses" : {
            "percentiles" : {
                "field" : "response_code" 
            }
        }
    }
}

But these results would be displayed in things like P99, P90, etc…

It is hard to answer your question fully without understanding your data architecture / sample documents.

Hope this helps!

Topic		Replies	Views
Kibana Open Distro Alerts - 2+ monitor conditions & relative triggers Alerting	2	823	April 9, 2021
Opensearch bucket monitor OpenSearch discuss	0	39	September 11, 2024
Set up percentage monitor/trigger Open Source Elasticsearch and Kibana	1	536	February 7, 2023
Arithmetic operations of fields Alerting	2	705	March 7, 2021
Alerting based on a percentage increase Alerting	1	564	February 7, 2023

Alert on percentage

Related topics