提问人:EUG217 提问时间:4/3/2023 最后编辑:EUG217 更新时间:4/3/2023 访问量:176
触发警报中的嵌套存储桶
Triggering for a nested bucket in Alerting
问:
我使用 monitor 来获取 Opensearch Alerting 中每个地址的每个接口的警报。为了在嵌套桶中迭代,我发现了这一点。但该示例只能用于并返回 True/False 响应。我需要使用嵌套存储桶获取警报,包括带有字段的列表的最后一个元素。Per bucketPer queryout_errorthirtieth_difference
查询:
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-20m"
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"composite_agg": {
"terms": {
"field": "address.keyword",
"size": 500,
"min_doc_count": 0,
"order": {
"_key": "desc"
}
},
"aggregations": {
"interface": {
"terms": {
"field": "name.keyword"
},
"aggregations": {
"out_error": {
"date_histogram": {
"field": "@timestamp",
"interval": "10m",
"offset": 0,
"order": {
"_key": "asc"
},
"min_doc_count": 0
},
"aggregations": {
"errors": {
"avg": {
"field": "name.count.error"
}
},
"thirtieth_difference": {
"serial_diff": {
"buckets_path": [
"errors"
],
"gap_policy": "skip",
"lag": 1
}
}
}
}
}
}
}
}
}
}
响应:
{
"took": 1370,
"timed_out": false,
"aggregations": {
"composite_agg": {
"buckets": [
{
"doc_count": 3540,
"interface": {
"buckets": [
{
"doc_count": 320,
"key": "interface1",
"out_error": {
"buckets": [
{
"doc_count": 160,
"key": 1680504000000,
"errors": {
"value": 20
}
},
{
"doc_count": 64,
"thirtieth_difference": {
"value": 5
},
"key": 1680504600000,
"errors": {
"value": 15
}
}
]
}
},
{
"doc_count": 320,
"key": "interface2",
"out_error": {
"buckets": [
{
"doc_count": 160,
"key": 1680504000000,
"errors": {
"value": 0
}
},
{
"doc_count": 64,
"thirtieth_difference": {
"value": 0
},
"key": 1680504600000,
"errors": {
"value": 0
}
}
]
}
}
]
},
"key": "address1"
}
]
}
}
}
触发条件
是否可以像这样使用触发条件?
{
"buckets_path": {
"thirtieth_difference": "out_error[-1].thirtieth_difference"
},
"parent_bucket_path": "composite_agg>interface",
"script": {
"source": "params.thirtieth_difference > 0",
"lang": "painless"
},
"gap_policy": "skip"
}
触发条件响应
并以如下方式获得输出:Trigger condition response
[
{
"key": 1680512400000
"composite_agg.key": "address1",
"interface.key": "interface1",
"thirtieth_difference": {
"value": 5
}
},
{
"key": 1680512400000
"composite_agg.key": "addressN",
"interface.key": "interfaceN",
"thirtieth_difference": {
"value": X
}
}
]
答: 暂无答案
评论