Versions:
OpenSearch: 2.11.0
Describe the issue:
I’m fairly new to opensearch alerting and would like to setup a per bucket monitor for the following query:
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"term": {
"event.keyword": "request_calculated"
}
},
{
"range": {
"@timestamp": {
"gte": "now-2h"
}
}
}
]
}
},
"aggs": {
"by_asset": {
"terms": {
"field": "asset"
},
"aggs": {
"earliest_doc": {
"top_hits": {
"size": 1,
"sort": [
{
"@timestamp": "asc"
}
],
"_source": {
"includes": [
"request_power_active",
"allocated_power_active",
"@timestamp"
]
}
}
},
"latest_doc": {
"top_hits": {
"sort": [
{
"@timestamp": "desc"
}
],
"_source": {
"includes": [
"request_power_active",
"allocated_power_active",
"@timestamp"
]
},
"size": 1
}
}
}
}
}
}
Is this even possible with a top_hits aggregation? I cannot get it to work.