Alert on ES field value?

Question

Alert on ES field value?

ceeeekay opened this issue 6 years ago · comments

Is it possible to alert based on the value in a field?

I'm using a max aggregation which always returns exactly one result, but it's the value of the field that I'm interested in. I don't see any way to do this.

Possible feature request?

Cheers.

Kai · Answer 1 · Tue Jul 31 2018 23:01:20 GMT+0800 (China Standard Time)

Hi. Could you provide a concrete example of what you'd like to accomplish?

Chris · Answer 2 · Fri Aug 03 2018 08:05:56 GMT+0800 (China Standard Time)

@kiwiz Using the following ES agg as an example, I'd like to set up a 411 alert to trigger if the result of the aggregation is over a certain value, e.g.,

  "aggs": {
    "1": {
      "max": {
        "field": "latency.total"
      }
    }
  }

I'm trying to reproduce this in 411 like so:
type:latency test | agg:max field:latency.total.

This query always returns a single result (as expected) but it's the value if the result I'm interested in, i.e., if max agg of latency.total > 60 then alert.

I don't see any way to do this with the result type options that 411 presents.

Thanks :)