Hi everyone,
We want to create an alert for compare two counting field. But i dont know how to do it.
One field is a error log, other field is a sales. I want to trigger alert when sales count <1 and error count>100.
Can you help me asap please.
Cem.
Hi @cemkuleyin,
You are going to want to create a aggregation query for these two fields. Something like what was posted in this stack overflow answer: ElasticSearch group by multiple fields - Stack Overflow
Then in your trigger condition you will simply need an and condition something like:
return ctx.results[0].aggs.sales_count.hits < 1 && ctx.results[0].aggs.error_count.hits > 100;
Hi @lucaswin-amzn,
Thank you for your answer. I tried your solution. But my trigger is not working.
trigger is →
return ctx.results[0].aggs.thy.hits > 1000 && ctx.results[0].aggs.pegasus.hits > 100;
message->
{"subject":"Subject Content","body":"!!! Testtir: {{ctx.results[0].aggs.thy.age_range.buckets.doc_count}} | {{return ctx.results[0].aggs.thy.doc_count}}","phone_numbers":["905308725661"]}
Our alerts code below.
{
"size": 1,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "message:LTBLogger",
"default_field": "*",
"fields": [],
"type": "best_fields",
"default_operator": "or",
"max_determinized_states": 10000,
"enable_position_increments": true,
"fuzziness": "AUTO",
"fuzzy_prefix_length": 0,
"fuzzy_max_expansions": 50,
"phrase_slop": 0,
"analyze_wildcard": true,
"escape": false,
"auto_generate_synonyms_phrase_query": true,
"fuzzy_transpositions": true,
"boost": 1
}
},
{
"range": {
"@timestamp": {
"from": "now-2d",
"to": null,
"include_lower": true,
"include_upper": true,
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"pegasus": {
"filter": {
"term": {
"ctxt_provider.keyword": {
"value": "pegasus",
"boost": 1
}
}
},
"aggregations": {
"age_range": {
"terms": {
"field": "ctxt_provider.keyword",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
}
}
}
},
"thy": {
"filter": {
"term": {
"ctxt_provider.keyword": {
"value": "thy",
"boost": 1
}
}
},
"aggregations": {
"age_range": {
"terms": {
"field": "ctxt_provider.keyword",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
}
}
}
}
}
}
and response →
{
"_shards": {
"total": 22,
"failed": 0,
"successful": 22,
"skipped": 0
},
"hits": {
"hits": [
{
"_index": "test-pi-app-2019.11.06",
"_type": "logs",
"_source": {
"@timestamp": "2019-11-06T06:36:40.845Z",
"source_host": "127.0.0.1",
"ctxt_is_vi": false,
"level": 6,
"ctxt_endpoint": "b2b.flypgs.com",
"@version": "1",
"host": "prodtest-SH1",
"ctxt_method": "search",
"message": "[LTBLogger][pegasus]",
"version": "1.0",
"ctxt_provider": "pegasus",
"facility": "app"
},
"_id": "ws1uP24Bm3oynWmeAksP",
"_score": 6.8545413
}
],
"total": {
"value": 1812,
"relation": "eq"
},
"max_score": 6.8545413
},
"took": 8,
"timed_out": false,
"aggregations": {
"thy": {
"age_range": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 187,
"key": "thy"
}
]
},
"doc_count": 187
},
"pegasus": {
"age_range": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 307,
"key": "pegasus"
}
]
},
"doc_count": 307
}
}
}
I can see that in your response the nesting is done in the following manner:
aggregations->thy->doc_count and aggregations->pegasus->doc_count.
Your monitor probably entered the ERROR state due to null pointer exception as you are looking for variables that do not exist. You will want to have your trigger condition like this:
return ctx.results[0].aggregations.thy.doc_count > 1000 && ctx.results[0].aggregations.pegasus.doc_count > 100;
Does this make sense? If not I can provide a more detailed explination.
Thanks,
Lucas Winkelmann
Thank you very much @lucaswin-amzn.
in below part, i want to multiple term filter or “string query”. how do you do?
"aggregations": {
"pegasus": {
"filter": {
"term": {
"ctxt_provider.keyword": {
"value": "pegasus",
"boost": 1