Dynamic Alerting Triggers based on particular field in the Index

Hi Team,

I am using OD alerting plugin for alerting. In our system, threshold values are changing dynamically, so I cannot select a particular integer value as a Trigger.
In our index, the “threshold” field is present in which the values are changing dynamically and I want to set this “Threshold” field as Trigger instead of putting static integer value.

Is there any way to select threshold field in trigger instead of static value as our “Threshold” field values are changing in real-time and if our device values cross above “Threshold” field values alerts need to be triggered.

Aside - have you considered anomaly detection for this? It kinda seems like it would fit into that use case more than alerting with a explicit trigger value.

Hi @searchymcsearchface ,
I didn’t consider anomaly detection for this, as basic idea is to generate alerts for fields which are above threshold values

Is there any way to add trigger as “threshold.operational” field using query editor? instead of creating triggers based on static integer values.
Will the OD anomaly plugin suffice the objective for an explicit trigger.

Actually, the main idea for using alert plugins is to create multiple triggers for a single monitor to get real-time severity-based alerts.

Ex- For monitor name-condition1
Trigger can generate if condition- 1) above>threshold.operational
2)above>threshold.caution
3)above>threshold.warning

Code of Trigger ‘threshold.operational’ condition attached-

{
    "periodStart": "2021-07-16T15:35:59Z",
    "periodEnd": "2021-07-16T15:36:59Z",
    "results": [
        {
            "_shards": {
                "total": 2,
                "failed": 0,
                "successful": 2,
                "skipped": 0
            },
            "hits": {
                "hits": [],
                "total": {
                    "value": 6,
                    "relation": "eq"
                },
                "max_score": null
            },
            "took": 2,
            "timed_out": false,
            "aggregations": {
                "when": {
                    "value": 94.48999786376953
                }
            }
        }
    ],
    "trigger": {
        "name": "Operational Threshold",
        "severity": "1",
        "condition": {
            "script": {
                "lang": "painless",
                "source": "ctx.results[0].hits.total.value > threshold.operational"
            }
        },
        "min_time_between_executions": null,
        "rolling_window_size": null
    },
    "alert": null,
    "error": null,
    "monitor": {
        "type": "monitor",
        "schema_version": 1,
        "name": "condition1",
        "enabled": true,
        "enabled_time": 1626448828962,
        "schedule": {
            "period": {
                "interval": 1,
                "unit": "MINUTES"
            }
        },
        "inputs": [
            {
                "search": {
                    "indices": [
                        "cond*"
                    ],
                    "query": {
                        "size": 0,
                        "query": {
                            "bool": {
                                "filter": [
                                    {
                                        "range": {
                                            "@timestamp": {
                                                "from": "{{period_end}}||-30d",
                                                "to": "{{period_end}}",
                                                "include_lower": true,
                                                "include_upper": true,
                                                "format": "epoch_millis",
                                                "boost": 1
                                            }
                                        }
                                    }
                                ],
                                "adjust_pure_negative": true,
                                "boost": 1
                            }
                        },
                        "aggregations": {
                            "when": {
                                "max": {
                                    "field": "total_accel_max"
                                }
                            }
                        }
                    }
                }
            }
        ],
        "triggers": [],
        "last_update_time": 1626448944943,
        "ui_metadata": {
            "schedule": {
                "cronExpression": "0 */1 * * *",
                "period": {
                    "unit": "MINUTES",
                    "interval": 1
                },
                "timezone": null,
                "daily": 0,
                "monthly": {
                    "type": "day",
                    "day": 1
                },
                "weekly": {
                    "tue": false,
                    "wed": false,
                    "thur": false,
                    "sat": false,
                    "fri": false,
                    "mon": false,
                    "sun": false
                },
                "frequency": "interval"
            },
            "search": {
                "aggregationType": "max",
                "fieldName": "total_accel_max",
                "overDocuments": "all documents",
                "searchType": "query",
                "bucketValue": 30,
                "timeField": "@timestamp",
                "groupedOverTop": 5,
                "bucketUnitOfTime": "d",
                "where": {
                    "fieldName": [],
                    "fieldRangeEnd": 0,
                    "fieldRangeStart": 0,
                    "fieldValue": "",
                    "operator": "is"
                },
                "groupedOverFieldName": "bytes"
            },
            "triggers": {}
        }
    }
}

Hi Team,

I also checked with anomaly detection in OD anomaly detection and create a detector but it is also showing static fields instead of dynamic fields.

Pic Attached-

I tried writing code but it’s not working. Is there any other way I can write the query to suffice the need?
Please share your thoughts, any suggestions/advice will be highly appreciated.

{
    "bool": {
        "filter": [
            {
                "range": {
                    "tag.value": {
                        "from": "operational.threshold",
                        "to": "threshold.caution",
                        "include_lower": true,
                        "include_upper": true,
                        "boost": 1
                    }
                }
            }
        ],
        "adjust_pure_negative": true,
        "boost": 1
    }
}