当聚合值达到某个阈值时,如何将过滤器设置为 return?
How to set up percolator to return when an aggregation value hits a certain threshold?
以下面的聚合查询为例:
{
"query": {
"match_all": {}
},
"aggs": {
"groupBy": {
"terms": {
"field": "CustomerName"
},
"aggs": {
"points_sum": {
"stats": {
"field": "TransactionAmount"
}
}
}
}
},
"size": 0
}
我想知道任何 CustomerName 的平均 TransactionAmount (stats.avg) 何时高于该客户所有购买的某个阈值,一旦我索引了一个会使我的平均值高于该阈值的文档临界点。似乎 percolator 或多或少是为将文档与规则匹配而设计的,但我找不到任何使用 percolator 来匹配基于聚合结果的规则的好例子。
这可能吗?过滤器是这里最好的解决方案吗?有another/better解决方案吗?提前致谢
您可以为此使用 Watcher 商业产品并定义以下手表:
PUT _watcher/watch/transaction_alert
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": "transactions",
"types": "transaction",
"body": {
"query": {
"match_all": {}
},
"size": 0,
"aggs": {
"groupBy": {
"terms": {
"field": "CustomerName"
},
"aggs": {
"points_sum": {
"stats": {
"field": "TransactionAmount"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"inline": "return ctx.payload.aggregations.groupBy.buckets.findAll{ cust -> cust.points_sum.avg >= 200}"
}
},
"actions": {
"send_email": {
"email": {
"to": "<username>@<domainname>",
"subject": "Customer Notification - Transaction > 200",
"body": "The attached customers have a transaction average above 0"
"attachments" : {
"data.yml" : {
"data" : {
"format" : "yaml"
}
}
}
}
}
}
}
更新
总结一下:
- Watcher 是商业产品
- ElastAlert(目前)还不支持它,requires some effort 让它工作
还有另一种更简单、更便宜的方法可以使用 Logstash 实现此目的。即使 elasticsearch input plugin doesn't support aggregations, it is possible to use the http_poller input plugin in order to send an aggregation query to Elasticsearch at regular intervals. Then using a filter you can check if the desired threshold is attained or not, and finally, alert someone by email if that's the case using the email 输出插件。
配置基本上是这样的(请注意,您上面的聚合查询需要进行 URL 编码并使用 source=... parameter 发送到 ES)。另请注意,我已修改您的查询以根据 points_sum.avg (desc)
对存储桶进行排序
input {
http_poller {
urls => {
test1 => 'http://localhost:9200/your-index/_search?source=%7B%22query%22%3A%7B%22match_all%22%3A%7B%7D%7D%2C%22aggs%22%3A%7B%22groupBy%22%3A%7B%22terms%22%3A%7B%22field%22%3A%22CustomerName%22%2C%22order%22%3A%7B%22points_sum.avg%22%3A%22desc%22%7D%7D%2C%22aggs%22%3A%7B%22points_sum%22%3A%7B%22stats%22%3A%7B%22field%22%3A%22TransactionAmount%22%7D%7D%7D%7D%7D%2C%22size%22%3A0%7D'
}
# checking every 10 seconds
interval => 10
codec => "json"
}
}
filter {
split {
field => "[aggregations][groupBy][buckets]"
}
}
output {
if [aggregations][groupBy][buckets][points_sum][avg] > 200 {
email {
to => "<username>@<domainname>"
subject => "Customer Notification - Transaction > 200",
body => "The customer %{[aggregations][groupBy][buckets][key]} has a transaction average above 0"
}
}
}
同意,这是一个非常简单的实现,但它应该可以工作,您可以在它的基础上进行构建以使其更智能,有了 Logstash 和您的想象力,一切都是无限的;-)
更新 2
另一个 node.js 工具调用 elasticwatch 也可用于执行此操作。
以下面的聚合查询为例:
{
"query": {
"match_all": {}
},
"aggs": {
"groupBy": {
"terms": {
"field": "CustomerName"
},
"aggs": {
"points_sum": {
"stats": {
"field": "TransactionAmount"
}
}
}
}
},
"size": 0
}
我想知道任何 CustomerName 的平均 TransactionAmount (stats.avg) 何时高于该客户所有购买的某个阈值,一旦我索引了一个会使我的平均值高于该阈值的文档临界点。似乎 percolator 或多或少是为将文档与规则匹配而设计的,但我找不到任何使用 percolator 来匹配基于聚合结果的规则的好例子。
这可能吗?过滤器是这里最好的解决方案吗?有another/better解决方案吗?提前致谢
您可以为此使用 Watcher 商业产品并定义以下手表:
PUT _watcher/watch/transaction_alert
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": "transactions",
"types": "transaction",
"body": {
"query": {
"match_all": {}
},
"size": 0,
"aggs": {
"groupBy": {
"terms": {
"field": "CustomerName"
},
"aggs": {
"points_sum": {
"stats": {
"field": "TransactionAmount"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"inline": "return ctx.payload.aggregations.groupBy.buckets.findAll{ cust -> cust.points_sum.avg >= 200}"
}
},
"actions": {
"send_email": {
"email": {
"to": "<username>@<domainname>",
"subject": "Customer Notification - Transaction > 200",
"body": "The attached customers have a transaction average above 0"
"attachments" : {
"data.yml" : {
"data" : {
"format" : "yaml"
}
}
}
}
}
}
}
更新
总结一下:
- Watcher 是商业产品
- ElastAlert(目前)还不支持它,requires some effort 让它工作
还有另一种更简单、更便宜的方法可以使用 Logstash 实现此目的。即使 elasticsearch input plugin doesn't support aggregations, it is possible to use the http_poller input plugin in order to send an aggregation query to Elasticsearch at regular intervals. Then using a filter you can check if the desired threshold is attained or not, and finally, alert someone by email if that's the case using the email 输出插件。
配置基本上是这样的(请注意,您上面的聚合查询需要进行 URL 编码并使用 source=... parameter 发送到 ES)。另请注意,我已修改您的查询以根据 points_sum.avg (desc)
input {
http_poller {
urls => {
test1 => 'http://localhost:9200/your-index/_search?source=%7B%22query%22%3A%7B%22match_all%22%3A%7B%7D%7D%2C%22aggs%22%3A%7B%22groupBy%22%3A%7B%22terms%22%3A%7B%22field%22%3A%22CustomerName%22%2C%22order%22%3A%7B%22points_sum.avg%22%3A%22desc%22%7D%7D%2C%22aggs%22%3A%7B%22points_sum%22%3A%7B%22stats%22%3A%7B%22field%22%3A%22TransactionAmount%22%7D%7D%7D%7D%7D%2C%22size%22%3A0%7D'
}
# checking every 10 seconds
interval => 10
codec => "json"
}
}
filter {
split {
field => "[aggregations][groupBy][buckets]"
}
}
output {
if [aggregations][groupBy][buckets][points_sum][avg] > 200 {
email {
to => "<username>@<domainname>"
subject => "Customer Notification - Transaction > 200",
body => "The customer %{[aggregations][groupBy][buckets][key]} has a transaction average above 0"
}
}
}
同意,这是一个非常简单的实现,但它应该可以工作,您可以在它的基础上进行构建以使其更智能,有了 Logstash 和您的想象力,一切都是无限的;-)
更新 2
另一个 node.js 工具调用 elasticwatch 也可用于执行此操作。