diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst index 4d62c506..5caf8b07 100644 --- a/docs/source/ruletypes.rst +++ b/docs/source/ruletypes.rst @@ -1318,7 +1318,7 @@ default this is ``buffer_time``. This rule requires: ``metric_agg_key``: This is the name of the field over which the metric value will be calculated. The underlying type of this field must be -supported by the specified aggregation type. +supported by the specified aggregation type. If using a scripted field via ``metric_agg_script``, this is the name for your scripted field ``metric_agg_type``: The type of metric aggregation to perform on the ``metric_agg_key`` field. This must be one of 'min', 'max', 'avg', 'sum', 'cardinality', 'value_count'. @@ -1336,6 +1336,12 @@ Optional: ``query_key``: Group metric calculations by this field. For each unique value of the ``query_key`` field, the metric will be calculated and evaluated separately against the threshold(s). +``metric_agg_script``: A `Painless` formatted script describing how to calculate your metric on-the-fly:: + + metric_agg_key: myScriptedMetric + metric_agg_script: + script: doc['field1'].value * doc['field2'].value + ``min_doc_count``: The minimum number of events in the current window needed for an alert to trigger. Used in conjunction with ``query_key``, this will only consider terms which in their last ``buffer_time`` had at least ``min_doc_count`` records. Default 1. diff --git a/elastalert/ruletypes.py b/elastalert/ruletypes.py index 5c811156..3d99efe1 100644 --- a/elastalert/ruletypes.py +++ b/elastalert/ruletypes.py @@ -1088,6 +1088,8 @@ def get_match_str(self, match): return message def generate_aggregation_query(self): + if self.rules.get('metric_agg_script'): + return {self.metric_key: {self.rules['metric_agg_type']: self.rules['metric_agg_script']}} query = {self.metric_key: {self.rules['metric_agg_type']: {'field': self.rules['metric_agg_key']}}} if self.rules['metric_agg_type'] in self.allowed_percent_aggregations: query[self.metric_key][self.rules['metric_agg_type']]['percents'] = [self.rules['percentile_range']] @@ -1175,7 +1177,7 @@ def __init__(self, *args): self.rules['aggregation_query_element'] = self.generate_aggregation_query() def generate_aggregation_query(self): - """Lifted from MetricAggregationRule, added support for scripted fields""" + """Lifted from MetricAggregationRule""" if self.rules.get('metric_agg_script'): return {self.metric_key: {self.rules['metric_agg_type']: self.rules['metric_agg_script']}} query = {self.metric_key: {self.rules['metric_agg_type']: {'field': self.rules['metric_agg_key']}}}