Can someone please help me configure elastalert rule:
Index: elastalert_status
Aggr on "rule_name" field.
task: when aggr count response of rule_test_1 and rule_test_2 is at least "1".
aggr query:
GET elastalert_status/_search
{
"aggs": {
"by_rule_name": {
"terms": {
"field": "rule_name"
}
}
},
"size": 0
}
Response:
{
"aggregations" : {
"by_rule_name" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "rule_test_1",
"doc_count" : 10
},
{
"key" : "rule_test_2",
"doc_count" : 1
},
{
"key" : "rule_test_3",
"doc_count" : 3
}
]
}
}
}
