我有一个包含汇率更改日志的索引。索引中的文档如下所示
{
"sourceId": "gh-ghs",
"targetCountry": "gh",
"targetCurrency": "ghs",
"rate": 2.3,
"modified": "2021-04-07T12:00:57.2760000Z",
},
{
"sourceId": "gh-ghs",
"targetCountry": "gh",
"targetCurrency": "ghs",
"rate": 2.5,
"modified": "2021-04-06T12:00:57.2760000Z",
},
{
"sourceId": "mx-mxn",
"targetCountry": "mx",
"targetCurrency": "mxn",
"rate": 20.3,
"modified": "2021-04-08T12:00:57.2760000Z",
},
{
"sourceId": "mx-mxn",
"targetCountry": "mx",
"targetCurrency": "mxn",
"rate": 2.2,
"modified": "2021-04-07T12:00:57.2760000Z",
},
{
"sourceId": "mx-mxn",
"targetCountry": "mx",
"targetCurrency": "mxn",
"rate": 2.23,
"modified": "2021-04-06T12:00:57.2760000Z",
}如您所见,我们有每个目的地(国家/地区+货币)的汇率变化。请查看mx-mxn文档。最后一次更改是从2.2更改为20.3。可能是人为错误,我们希望对此类情况发出警告。
我尝试创建以下查询以查找重要更改
{
"query": {
"bool": {
"must": [],
{
"range": {
"modified": {
"format": "strict_date_optional_time",
"gte": "now",
"lte": "now - 5h"
}
}
}
],
"should": [],
"must_not": []
}
},
"aggs": {
"group": {
"terms": {
"field": "sourceId",
"size": 1000
},
"aggs": {
"2-metric": {
"top_metrics": {
"metrics": {
"field": "rate"
},
"size": 2,
"sort": {
"modified": "desc"
}
}
}
}
}
}
}使用这个查询,我设法按目标获取最新的更改。
{
"aggregations": {
"group": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "mx-mxn",
"doc_count": 25,
"2-metric": {
"top": [
{
"sort": [
"2022-10-16T15:01:57.098Z"
],
"metrics": {
"rate": 12
}
},
{
"sort": [
"2022-10-16T13:01:57.098Z"
],
"metrics": {
"rate": 150
}
}
]
}
},
{
"key": "gh-ghs",
"doc_count": 18,
"2-metric": {
"top": [
{
"sort": [
"2022-10-14T11:28:38.995Z"
],
"metrics": {
"rate": 11.25
}
},
{
"sort": [
"2022-10-13T11:37:09.945Z"
],
"metrics": {
"rate": 10.9609375
}
}
]
}
}
]
}
}
}因此,我设法为每个目的地获取了两个最新更改。但我想为所有值更改超过10%的存储桶设置警报。在本例中,它是mx-mxn。我如何在Elastic和Kibana中做到这一点?
1条答案
按热度按时间ou6hu8tu1#
Tldr;
要收集“检测”数据:
要执行警报: