Is nested querying supported for per-document monitor?

abinabu · August 20, 2025, 1:33pm

Versions: latest

Describe the issue: I was experimenting with per-document monitors and is filtering on nested fields supported in this type of monitor?

Index mapping snippet:

{
  "_data_stream_timestamp": {
    "enabled": true
  },
  "properties": {
    "@timestamp": {
      "type": "date"
    },
    "overall_status": {
      "fields": {
        "keyword": {
          "type": "keyword",
          "ignore_above": 256
        }
      },
      "type": "text"
    },
    "status_apps": {
      "type": "nested",
      "properties": {
        "app_name": {
          "type": "text"
        },
        "instance_count": {
          "type": "integer"
        }
      }
    }
  }
}

Can i create a per-document monitor which looks for overall_status == “SUCCESS” and instance_count is greater than 0?

I’ve only issue with the nested objects. Unfortunately, the logs are much complex and I’ve simplified it for this question.

Is nested querying supported for per-document monitors similar to query-level monitor

Thanks in advance.

abinabu · August 21, 2025, 10:23am

@pablo Can you help here?

Leeroy · August 22, 2025, 8:55am

hey @abinabu ,

Nested fields can be used in monitors, you could create a monitor something like this

POST /_plugins/_alerting/monitors
{
  "name": "testNestedFields",
  "type": "monitor",
  "enabled": true,
  "schedule": {
    "period": {
      "interval": 5,
      "unit": "MINUTES"
    }
  },
  "inputs": [
    {
      "search": {
        "indices": [
          "application_status_logs"
        ],
        "query": {
          "size": 100,
          "query": {
            "nested": {
              "path": "status_apps",
              "query": {
                "bool": {
                  "must": [
                    {
                      "match": {
                        "overall_status.keyword": "SUCCESS"
                      }
                    },
                    {
                      "range": {
                        "status_apps.instance_count": {
                          "gt": 0
                        }
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      }
    }
  ],
  "triggers": [
    {
      "name": "Backend API Instance Count Low Trigger",
      "severity": "1",
      "condition": {
        "script": {
          "source": "true"
        }
      },
      "actions": [
        {
          "name": "Send notification",
          "destination_id": "your-destination-id",
          "message_template": {
            "source": "⚠️ Backend API instance count low.\nDoc: {{ctx._id}}\nCount: {{ctx._source.status_apps.instance_count}}\nTimestamp: {{ctx._source['@timestamp']}}"
          }
        }
      ]
    }
  ]
}

You might also find it useful to read about nested fields - Nested - OpenSearch Documentation You will learn how to query and then can use both to make your own custom monitors.

Leeroy.

Topic		Replies	Views
Trouble configuring per document monitor Alerting	0	486	August 29, 2022
How do i include message fields in the Alert Action Message for Per document monitor Alerting	6	2170	September 3, 2023
Create Monitor Condition for per document monitor if query having field which contains value `greater than` or `less than` particular value Alerting discuss	0	332	December 12, 2022
Kibana Open Distro Alerts - 2+ monitor conditions & relative triggers Alerting	2	849	April 9, 2021
Per document monitor output with doc's fields Alerting feature-request	1	203	December 31, 2023

Is nested querying supported for per-document monitor?

Related topics