How to access trigger response bucket keys in action message

jveleztw · May 5, 2024, 11:43pm

Versions AWS OpenSearch 1.3.2
Describe the issue:

I have a trigger whose condition is per-bucket

    "aggregations": {
        "domain-count": {
            "terms": {
                "field": "domain.keyword",
                "size": 100,
                "min_doc_count": 1,
                "shard_min_doc_count": 0,
                "show_term_doc_count_error": false,
                "order": [
                    {
                        "_count": "desc"
                    },
                    {
                        "_key": "asc"
                    }
                ]
            }
        }
    }

{
    "buckets_path": {
        "doc_count": "_count"
    },
    "parent_bucket_path": "domain-count",
    "script": {
        "source": "params.doc_count >= 5",
        "lang": "painless"
    },
    "gap_policy": "skip"
}

In the action, I need to only refer to buckets for which the condition returned true. I can’t seem to find documentation on how to access the trigger response buckets (which when I hit “previw condition response”, tells me the number of expected buckets at the moment).

I can’t use

{{#ctx.results.0.aggregations.domain-count.buckets}} [{{key}}]: {{doc_count}}, {{/ctx.results.0.aggregations.domain-count.buckets}}

because that iterates over ALL the query results and I only need the ones for which the trigger returned true.

Thank you for any advice.

Configuration:

Running Alerting via OpenSearch UI

Relevant Logs or Screenshots:

gesteban · May 18, 2024, 7:38pm

Hi there,

As far as I know, the only option available to access the bucket keys is using bucket_keys. You can access this property within ctx.dedupedAlerts , ctx.newAlerts , and ctx.completedAlerts.

So, if for example you want to “print” that information in the trigger action, you would need to do something like:

{{#ctx.newAlerts}}{{bucket_keys}}{{/ctx.newAlerts}}

The keys are stored in a simple string with several key being comma-separated, which is ok if you have only one key but not really good if you have several keys and you need separatelly.

See documentation at https://opensearch.org/docs/latest/observing-your-data/alerting/monitors/

Topic		Replies	Views
Trigger on bucket count Alerting	1	1343	February 7, 2023
How to write trigger condition Alerting troubleshoot	7	11834	December 21, 2022
Trigger by one of buckets value Alerting troubleshoot , configure	7	2574	February 18, 2022
Help ! Tigger parase error Alerting configure	3	327	September 25, 2023
OpenSearch Bucket Aggregation - Get full message text OpenSearch	3	632	July 13, 2023

How to access trigger response bucket keys in action message

Related Topics