I’m getting some strange results while attempting to setup a per document monitor.
- With a very simple query, the query preview fails to run within the timeout period. The same query when run as a per query monitor finishes within a few milliseconds.
- When attempting to save the alert, I get an error
[alerting_exception] Limit of total fields [1000] has been exceeded, but the monitor saves anyway. - The document monitor never has any findings
I’ve set this up in a lab instance and didn’t have any of these issues, and I’m not sure where to look to get this figured out what is going on.
Here is the monitor config:
{
"name": "testindexmonitor",
"type": "monitor",
"monitor_type": "doc_level_monitor",
"enabled": true,
"schedule": {
"period": {
"unit": "MINUTES",
"interval": 1
}
},
"inputs": [
{
"doc_level_input": {
"description": "",
"indices": [
"testindex-2022.08.26"
],
"queries": [
{
"id": "testing",
"name": "testing",
"query": "opensearch_index:\"testindex\"",
"tags": []
}
]
}
}
],
"triggers": [
{
"document_level_trigger": {
"id": "UWRl2oIBJ0K-W9iQSKA4",
"name": "testtrigger",
"severity": "1",
"condition": {
"script": {
"source": "query[name=testing]",
"lang": "painless"
}
},
"actions": []
}
}
],
"ui_metadata": {
"schedule": {
"timezone": null,
"frequency": "interval",
"period": {
"unit": "MINUTES",
"interval": 1
},
"daily": 0,
"weekly": {
"tue": false,
"wed": false,
"thur": false,
"sat": false,
"fri": false,
"mon": false,
"sun": false
},
"monthly": {
"type": "day",
"day": 1
},
"cronExpression": "0 */1 * * *"
},
"monitor_type": "doc_level_monitor",
"doc_level_input": {
"queries": [
{
"id": "testing",
"queryName": "testing",
"field": "opensearch_index",
"operator": "==",
"query": "testindex",
"tags": []
}
]
},
"search": {
"searchType": "graph"
}
}
}
Any help would be appreciated.