So here is the solution:
- Discover the data you want to add alert to it in index.
- Save the query.
- Create a monitor based on query and change the default format to epoch_millis.
{
"size": 500,
"query": {
"bool": {
"filter": [
{
"match_all": {
"boost": 1
}
},
{
"exists": {
"field": "m.alert.severity",
"boost": 1
}
},
{
"exists": {
"field": "m.alert.name",
"boost": 1
}
},
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-2m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"version": true,
"_source": {
"includes": [],
"excludes": []
},
"stored_fields": "*",
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "created",
"format": "date_time"
},
{
"field": "m.params.cartProducts.createdTime",
"format": "date_time"
},
{
"field": "m.time",
"format": "date_time"
}
],
"script_fields": {},
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"aggregations": {
"2": {
"date_histogram": {
"field": "@timestamp",
"time_zone": "Asia/Jerusalem",
"fixed_interval": "1s",
"offset": 0,
"order": {
"_key": "asc"
},
"keyed": false,
"min_doc_count": 1
}
}
},
"highlight": {
"pre_tags": [
"@opensearch-dashboards-highlighted-field@"
],
"post_tags": [
"@/opensearch-dashboards-highlighted-field@"
],
"fragment_size": 2147483647,
"fields": {
"*": {}
}
}
}