Opensearch bucket monitor

rapaj · September 11, 2024, 9:39am

Hi,

I am new to Opensearch Alerts and I am trying to do an alert based on percentage values of doc from one method over the total methods triggered in a specific timeframe. I bulit the following query:

GET methods/_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "timestamp": {
              "from": "now-1h",
              "to": "now",
              "include_lower": true,
              "include_upper": true,
              "format": "epoch_millis",
              "boost": 1
            }
          }
        }
      ],
      "adjust_pure_negative": true,
      "boost": 1
    }
  },
  "aggs": {
    "filters_agg": {
      "filters": {
        "filters": {
          "sourceCount": {
            "match_all": {}
          }
        }
      },
      "aggs": {
        "total_method_count": {
          "value_count": {
            "field": "id"
          }
        },
        "method_one": {
          "filter": {
            "term": {
              "method.keyword": "one"
            }
            
          },
          "aggs": {
            "total_count": {
              "value_count": {
                "field": "id"
              }
            }
          }
        },
        "method_one_percentage":
        {
          "bucket_script": {
            "buckets_path": {
              "methodOneCount": "method_one>total_count",
              "totalMethodCount": "total_method_count"
            },
            "script": "params.methodOneCount / params.totalMethodCount * 100"
          }
        }
      }
    }
  }
}

which gives the following output

{
  "took": 37,
  "timed_out": false,
  "_shards": {
    "total": 4,
    "successful": 4,
    "skipped": 3,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 331,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "filters_agg": {
      "buckets": {
        "sourceCount": {
          "doc_count": 331,
          "method_one": {
            "doc_count": 228,
            "total_count": {
              "value": 228
            }
          },
          "total_method_count": {
            "value": 331
          },
          "method_one_percentage": {
            "value": 68.8821752265861
          }
        }
      }
    }
  }
}

How can I use the above in the bucket triggers to trigger an alert when method_one_percentage is below 50 ?

Thanks

monitors4fun · March 17, 2025, 7:45pm

Did you ever get a response here? I’m trying to figure out something similar. I’m using a bucket query under the alerts functionality and I have my aggregations working. I’m struggling to figure out how to configure a trigger alert on the aggregate values I generate in the results query.

I’m looking to simply alert on error rate which again is calculated just fine the results. Here’s an example of what I would want to alert on.

        "endpoints": {
            "doc_count_error_upper_bound": 128,
            "sum_other_doc_count": 8379,
            "buckets": [
                {
                    "doc_count": 2003,
                    "total": {
                        "doc_count": 2003
                    },
                    "failures": {
                        "doc_count": 52
                    },
                    "errorRate": {
                        "value": 0.0025948349809703786
                    },
                    "key": "someuser123"
                },

I am trying to alert on errorRate but can’t seem to figure out how to access that value in the template script. I’ve read the documentation which suggests maybe using ctx[0] is the way to go. I am struggling to find other examples online. Any help would be appreciated.

{
    "buckets_path": {
        "": ""
    },
    "parent_bucket_path": "composite_agg",
    "script": {
        "source": "params."
    }
}

pablo · March 19, 2025, 6:20pm

@monitors4fun This is my working example with aggregation and buckets.

{
   "name": "test1",
   "type": "monitor",
   "monitor_type": "query_level_monitor",
   "enabled": true,
   "schedule": {
      "period": {
         "unit": "MINUTES",
         "interval": 1
      }
   },
   "inputs": [
      {
         "search": {
            "indices": [
               "security-auditlog*"
            ],
            "query": {
               "size": 0,
               "query": {
                  "bool": {
                     "must": [
                        {
                           "match": {
                              "audit_category": {
                                 "query": "FAILED_LOGIN",
                                 "operator": "OR",
                                 "prefix_length": 0,
                                 "max_expansions": 50,
                                 "fuzzy_transpositions": true,
                                 "lenient": false,
                                 "zero_terms_query": "NONE",
                                 "auto_generate_synonyms_phrase_query": true,
                                 "boost": 1
                              }
                           }
                        },
                        {
                           "range": {
                              "@timestamp": {
                                 "from": "now-50m",
                                 "to": null,
                                 "include_lower": true,
                                 "include_upper": true,
                                 "boost": 1
                              }
                           }
                        }
                     ],
                     "adjust_pure_negative": true,
                     "boost": 1
                  }
               },
               "aggregations": {
                  "failed_logins": {
                     "terms": {
                        "field": "audit_request_effective_user.keyword",
                        "size": 10,
                        "min_doc_count": 1,
                        "shard_min_doc_count": 0,
                        "show_term_doc_count_error": false,
                        "order": [
                           {
                              "_count": "desc"
                           },
                           {
                              "_key": "asc"
                           }
                        ]
                     }
                  }
               }
            }
         }
      }
   ],
   "triggers": [
      {
         "query_level_trigger": {
            "id": "cGtbr40B80JLapXujh-P",
            "name": "trigger1",
            "severity": "1",
            "condition": {
               "script": {
                  "source": "ctx.results[0].hits.total.value > 0",
                  "lang": "painless"
               }
            },
            "actions": [
               {
                  "id": "notification246725",
                  "name": "send_slack",
                  "destination_id": "N2sqr40B80JLapXuIx8j",
                  "message_template": {
                     "source": "Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n  - Trigger: {{ctx.trigger.name}}\n  - Severity: {{ctx.trigger.severity}}\n  - Period start: {{ctx.periodStart}}\n  - Period end: {{ctx.periodEnd}}  \nFailed {{ctx.results.0.hits.total.value}}  login attempts.\n{{#ctx.results.0.aggregations.failed_logins.buckets}} - user {{key}} had {{doc_count}} failed attempts <br>{{/ctx.results.0.aggregations.failed_logins.buckets}}",
                     "lang": "mustache"
                  },
                  "throttle_enabled": false,
                  "subject_template": {
                     "source": "Alerting Notification action",
                     "lang": "mustache"
                  }
               }
            ]
         }
      }
   ],
   "ui_metadata": {
      "schedule": {
         "timezone": null,
         "frequency": "interval",
         "period": {
            "unit": "MINUTES",
            "interval": 1
         },
         "daily": 0,
         "weekly": {
            "tue": false,
            "wed": false,
            "thur": false,
            "sat": false,
            "fri": false,
            "mon": false,
            "sun": false
         },
         "monthly": {
            "type": "day",
            "day": 1
         },
         "cronExpression": "0 */1 * * *"
      },
      "monitor_type": "query_level_monitor",
      "search": {
         "searchType": "query",
         "timeField": "@timestamp",
         "aggregations": [],
         "cleanedGroupBy": [],
         "bucketValue": 1,
         "bucketUnitOfTime": "h",
         "filters": []
      }
   }
}

Topic		Replies	Views
Alert monitor in make query in script more than (50) value to get data Alerting alerting	1	28	November 15, 2024
Calculate the percentage of the total documents across all buckets OpenSearch troubleshoot	0	46	November 21, 2024
Alert on percentage Alerting	2	2003	October 29, 2019
Per Bucket Monitor OpenSearch alerting	0	582	October 19, 2022
Per bucket monitor with multiple aggregation OpenSearch alerting	0	727	October 19, 2022

Opensearch bucket monitor

Related topics