hi,
currently familiarising with Open Distro Alerting Features in Kibana and wanted to ask 2 quick questions.
Can triggers be relative values of total hits?
e.x.: trigger: > 10% of total hits
Can Monitors be set up for 2+ conditions?
e.x.: field 1 contains “abc” AND field 2 contains “200”
thanks
Hi,
We are also looking for this feature, is there a fix for this?
Hi @rakesh,
If you select "Define using extraction query" when creating the Monitor, you’ll be able to define your Triggers yourself with Painless scripts. This will allow you to create more complex Trigger conditions.
For example:
int count = 0;
// Get 10% of the total hits of the response
double percentOfTotal = ctx.results[0].total.value * 0.1;
// Iterate over the search hits
for (int i = 0; i < ctx.results[0].hits.hits.length; i++) {
// Storing the source as a variable just to reference it easier
Map src = ctx.results[0].hits.hits[i]._source;
// Check if both field_1 and field_2 match certain values
if (src.field_1 == "abc" && src.field_2 == 200) {
count++;
}
}
return count > percentOfTotal;
In the example above, instances of both of @pete’s conditions can be seen. We iterate over the search hits (which are the response of the Monitor’s input query) and increment a count if both field_1 and field_2 are what we expect. We then check if the count is greater than 10% of the total hits.