Hello,
Please suggest how can i write a trigger condition where it will check count for each host and not total.
Alert Criterion: I want to trigger an alert if a computer has > 20 doc count.
So instead of this
ctx.results[0].hits.total.value > 400
I need to access doc_count for each computer
something like the following:
ctx.results[0].aggregations.group_by_host.buckets.doc_count > 400
But the above throw error:
{
"type" : "script_exception",
"reason" : "runtime error",
"script_stack" : [
"ctx.results[0].aggregations.group_by_host.buckets.doc_count > 400",
" ^---- HERE"
],
"script" : "ctx.results[0].aggregations.group_by_host.buckets.doc_count > 400",
"lang" : "painless",
"caused_by" : {
"type" : "illegal_argument_exception",
"reason" : "Illegal list shortcut value [doc_count]."
}
}
Following is the response from extraction query which i am using for trigger action how can i access doc_count which i under buckets so it will only qualify
{
“_shards”: {
“total”: 198,
“failed”: 0,
“successful”: 198,
“skipped”: 52
},
“hits”: {
“hits”: ,
“total”: {
“value”: 496,
“relation”: “eq”
},
“max_score”: null
},
“took”: 11,
“timed_out”: false,
“aggregations”: {
“group_by_host”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“doc_count”: 494,
“key”: “Computer1”
},
{
“doc_count”: 2,
“key”: “Computer2”
}
]
},
“event_count”: {
“value”: 496
}
}
}