Hello Anthony,
Thanks for the quick feedback. I got hits results back from the Dev Tools; however, when I created a Anomaly Detector with one Feature with Custom Expression base on “count_logins” for “username” field, I got the error below:
Issues found in the model configuration: The “count_logins” Feature has an invalid query causing a runtime exception
Please let me know what I did wrong for the “count_logins” Feature below:
{
“filtered_output”: {
“filter”: {
“bool”: {
“must”: [
{
“script” : {
“script” : {
“source” : “def h = doc[‘@timestamp’].value.getHour(); h >= 23 || h < 12”,
“lang” : “painless”
},
“boost” : 1.0
}
},
{
“wildcard”: {
“username.keyword”: {
“wildcard”: “*adm”,
“boost”: 1
}
}
}
],
“adjust_pure_negative”: true,
“boost”: 1
}
},
“aggs”: {
“buckets”: {
“date_histogram”: { “field”: “@timestamp”, “fixed_interval”: “10m” },
“aggs”: {
“count_logins”: { “value_count”: { “field”: “username.keyword” } }
}
}
}
}
}
Thank you in advance,
Andre