I have the following Query for my monitor. It is currently triggering the monitor for any 5+ errors over the span of 10 minutes. I need it to trigger for 5+ errors of 3 unique users over the span of 10 minutes. I dont know why its not accounting for the unique users. Please help me!
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-10m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"match_phrase": {
"level": {
"query": "ERROR",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"Properties.featureArea": {
"query": "CARD_VIEW",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"bool": {
"must_not": [
{
"term": {
"Properties.client_event_id": {
"value": 26,
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
{
"match_phrase": {
"env": {
"query": "staging",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"users": {
"terms": {
"field": "Properties.userID.keyword",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
},
"aggregations": {
"error_count": {
"value_count": {
"field": "level.keyword"
}
},
"unique_users": {
"cardinality": {
"field": "Properties.userID.keyword"
}
},
"user_filter": {
"bucket_selector": {
"buckets_path": {
"errorCount": "error_count",
"uniqueUserCount": "unique_users"
},
"script": {
"source": "params.errorCount >= 5 && params.uniqueUserCount >= 3",
"lang": "painless"
},
"gap_policy": "skip"
}
}
}
}
}
}
AWS OFFICIALUpdated 2 years ago
