How to have elastalert triger when the sum of a field, for all documents that match a query, exceeds some value

Question

Can elastalert be triggered when the sum of a field for all documents that match a query exceeds some value? Say each document has a "price" value - Can elastalert be triggered when the sum of the "price" values over the last day exceeds 200, for example?

Example document:

{
  type: "transaction",
  price: 20.32
}

Example rule in english:

The sum of all documents where type = 'transaction' over the past hour exceeds 200

score 0 · Answer 1 · answered Oct 05 '16 at 04:12

0

This is not supported out of the box by ElastAlert.

There's an open issue which is still unresolved yet, as well as a related pull request which hasn't been merged yet.

However, you may be able to modify ElastAlert by yourself by following the steps described in the issue and using the contributed patch. Should be a no brainer.

answered Oct 05 '16 at 04:12

Val

207,596
13
358
360

If you don't feel like modifying ElastAlert, see my updated answer in your [other question](http://stackoverflow.com/a/39761323/4604579), which provides yet another a free alternative ;-) – Val Oct 05 '16 at 04:57
@Jim do you still need any more info on this? – Val Oct 11 '16 at 18:21

How to have elastalert triger when the sum of a field, for all documents that match a query, exceeds some value

1 Answers1

Linked