Per Bucket iteration

maelk · February 13, 2026, 7:45am

Hello,

I’m new to this. I am using a “Per bucket monitor” and have the following extraction query response:

{
“_shards”: {
“total”: 366,
“failed”: 0,
“successful”: 366,
“skipped”: 342
},
“hits”: {
“hits”: ,
“total”: {
“value”: 10000,
“relation”: “gte”
},
“max_score”: null
},
“took”: 64,
“timed_out”: false,
“aggregations”: {
“users”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 76,
“country_bucket_count”: {
“value”: 2
},
“countries”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 68,
“key”: “United Arab Emirates”
},
{
“doc_count”: 8,
“key”: “Latvia”
}
]
},
“key”: “``user1@domain.com``”
},
{
“doc_count”: 57,
“country_bucket_count”: {
“value”: 2
},
“countries”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 44,
“key”: “Luxembourg”
},
{
“doc_count”: 13,
“key”: “Belgium”
}
]
},
“key”: “``user2@domain.com``”
},
{
“doc_count”: 56,
“country_bucket_count”: {
“value”: 2
},
“countries”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 49,
“key”: “Sweden”
},
{
“doc_count”: 7,
“key”: “Spain”
}
]
},
“key”: “``user3@domain.com``”
}
]
}
}
}

I need to create an alert for every user. How can I achieve this? Is it even possible? I can’t get it to work no matter what.

Here is my trigger condition:
{
“buckets_path”: {
“count”: “_count”
},
“parent_bucket_path”: “users”,
“script”: {
“source”: “params.count > 0”,
“lang”: “painless”
},
“gap_policy”: “skip”
}

It just returns:
[
{},
{},
{}
]

After that, I can only configure the alert message to display either a specific user (by index) or all users in a single message.

Is it possible for a trigger to run per bucket and generate as many alerts as there are users extracted by the query?

Anthony · February 13, 2026, 12:12pm

@maelk This does not appear to be possible currently. This seems like a bug in alerting, using bucket-level monitor with composite aggregation show “agg_result_buckets” but no action_results and therefore no notification/alert.

This can be reproduced using the following commands:

PUT per_bucket_demo
{
  "mappings": {
    "properties": {
      "country": { "type": "keyword" },
      "ts":      { "type": "date" },
      "bytes":   { "type": "integer" }
    }
  }
}

POST per_bucket_demo/_bulk
{ "index": {} }
{ "country": "US", "ts": "2026-02-10T01:00:00Z", "bytes": 500 }
{ "index": {} }
{ "country": "US", "ts": "2026-02-10T02:00:00Z", "bytes": 700 }
{ "index": {} }
{ "country": "DE", "ts": "2026-02-10T01:30:00Z", "bytes": 300 }
{ "index": {} }
{ "country": "DE", "ts": "2026-02-10T02:30:00Z", "bytes": 900 }
{ "index": {} }
{ "country": "FR", "ts": "2026-02-10T01:15:00Z", "bytes": 200 }
{ "index": {} }
{ "country": "FR", "ts": "2026-02-10T03:45:00Z", "bytes": 1200 }

POST _plugins/_alerting/monitors
{
  "name": "per_user_per_hour_monitor_final2",
  "monitor_type": "bucket_level_monitor",
  "enabled": true,
  "schedule": { "period": { "interval": 1, "unit": "MINUTES" } },
  "inputs": [
    {
      "search": {
        "indices": ["user_events_demo"],
        "query": {
          "size": 0,
          "aggs": {
            "by_user_hour": {
              "composite": {
                "size": 1000,
                "sources": [
                  { "user": { "terms": { "field": "user", "order": "asc" } } },
                  { "hour": { "date_histogram": { "field": "ts", "calendar_interval": "hour", "order": "asc", "format": "yyyy-MM-dd HH:mm:ss'Z'" } } }
                ]
              },
              "aggs": { "bytes_sum": { "sum": { "field": "bytes" } } }
            }
          }
        }
      }
    }
  ],
  "triggers": [
    {
      "bucket_level_trigger": {
        "name": "user_hour_bytes_gt_800",
        "severity": "1",
        "condition": {
          "parent_bucket_path": "by_user_hour",
          "buckets_path": { "bytes": "bytes_sum" },
          "script": "params.bytes > 800"
        },
        "actions": [
          {
            "name": "slack-per-user-hour",
            "destination_id": "<dest_ID>",
            "action_execution_policy": {
              "action_execution_scope": {
                "per_alert": { "actionable_alerts": ["NEW","DEDUPED","COMPLETED"] }
              }
            },
            "subject_template": { "source": "User/hour bytes alert" },
            "message_template": {
              "source": "User {{ctx.alert.aggregation_result_bucket.bucket.key.user}} @ {{ctx.alert.aggregation_result_bucket.bucket.key.hour}} exceeded 800 bytes (sum={{ctx.alert.aggregation_result_bucket.bucket.bytes_sum.value}})"
            }
          }
        ]
      }
    }
  ]
}

POST _plugins/_alerting/monitors/<monitor_id>/_execute

I would recommend to file an issue for this here

In the mean time the two workarounds is either use one alerts for all the users that hit the threshold defined or separate monitors per user.

Hope this helps

maelk · February 17, 2026, 8:16am

Thank you for your reply. Did I understand correctly that the commands you posted can reproduce the result I need? Where and how should I use them?

Anthony · February 17, 2026, 9:37am

@maelk no, the commands are useful to reproduce the bug when you are filing an issue. The workaround would be to either use one alerts for all the users that hit the threshold defined or separate monitors per user.

Topic		Replies	Views
Alert condition for Per Bucket Monitor OpenSearch discuss , troubleshoot , alerting , anomaly-detection	5	135	September 1, 2025
Per Bucket Monitor unable to display metrics Alerting	1	499	February 7, 2023
Trigger by one of buckets value Alerting troubleshoot , configure	7	3230	February 18, 2022
Per Bucket Monitor OpenSearch alerting	0	618	October 19, 2022
Per bucket monitor with multiple aggregation OpenSearch alerting	0	784	October 19, 2022

Per Bucket iteration

Related topics