Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
AWS 2.30
Describe the issue:
Hi all, I’m looking for some ideas on how to create a monitor/alert that depends on pairs of sequential events/documents. The index does not have a parent/child relationship defined between them, it contains bulk imports of json data. A simplified query in SQL would look like this:
select a.source, a.type, b.source, b.status
from myindex as a
join myindex as b on a.ref_id = b.ref_id
where a.source = ‘A’ and a.type = ‘T’
and b.source = ‘B’ and b.status = ‘rejected’
I want to receive alerts if this query returns 10 or more entries in the last hour, or even alert for any result returned. From reading the documentation it doesn’t look like this is possible with OpenSearch without potentially implementing a customer plugin. Any thoughts?