I can't use group-by option in query alerting & preventing back-to-back alerts

Plugins Alerting
1

Hello comm!

I’m trying to set up a Per Query Monitor and I want to create alerts with this monitor. While I was trying to set up my query, I couldn’t use the group-by field for my query.

image
image740×804 47.9 KB

My example data is like this:

{
  "_index": "testing-opensearch",
  "_id": "NJuDioEBkISIDB93xdmX",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2022-06-22T08:25:00",
    "device": "computer",
    "total_count": 11,
    "status": 0
  },
  "fields": {
    "@timestamp": [
      "2022-06-22T08:25:00.000Z"
    ]
  },
  "sort": [
    1655886300000
  ]
}

In my example data as you see there are the “device” field and “total_count” fields. I have 2 devices, a computer, and a phone I want to send an alert when these devices have over 10 “total_count”. I can alert when the total_count field is above 10 but I also want to group-by the alert by the “device” field. But when I tried that I couldn’t be able to see my device field in the group-by section.

Mappings for my data:
“device” field is “text”
“total_count” field is “long”

My 2nd question is when I created an alert it also sends alerts while the alert’s status is alerting. Since my alert works every minute this means back-to-back same alerts every minute. This is an issue for me because I don’t want to get the same alert every minute. Can I prevent this?

2

I found my solution for my 2nd question. I couldn’t see the “Enable Throttling” option in Alerting section. My 1st problem is still continues

3

What version of OpenSearch are you using? Have you updated to the latest version of OpenSearch as there may be a bug in the version you are using. @mertkaant

4

I’m using the latest version, the 2.0.1 version. I had another problem but like you said that’s fixed after the update

1 Like
5

I upgraded my OpenSearch cluster’s version to 2.1.0 from 2.0.1, but the problem with the group by option still continues. Can you help me out, please?

6

@mertkaant I have the same issue. Could you find a solution?

7

Hi @mertkaant and @getanton,

As far as I know, the terms aggregation (which is what’s being applied on the group by fields here), cannot be done on a text field directly. You’ll want to provide a keyword subfield for the text field and aggregate on that.

Here is what an example mapping would look like for device:

"device": {
  "type": "text",
  "fields": {
    "keyword": { 
      "type":  "keyword"
    }
  }
}

Then device.keyword is what you’d select in the group by section.

2 Likes
8

@mertkaant @getanton were you able to make it work? i have the same issue.

9

Hi @qreshi i have this case where group by is showing up when i am trying to create visualization on field which is keyword but nothing shows up in group by when trying to create monitor.

field showing in visualization :

image
image2626×446 67.4 KB

any ideas?