Add metric_agg_script to MetricAggregationRule

CHANGELOG.md

@@ -15,7 +15,7 @@
 - None
 
 ## New features
-- None
+- Add metric_agg_script to MetricAggregationRule [#558](https://github.com/jertel/elastalert2/pull/558) - @dequis
 
 ## Other changes
 - sphinx 4.2.0 to 4.3.0 and tzlocal==2.1 - [#561](https://github.com/jertel/elastalert2/pull/561) - @nsano-rururu

docs/source/ruletypes.rst

@@ -1318,7 +1318,7 @@ default this is ``buffer_time``.
 This rule requires:
 
 ``metric_agg_key``: This is the name of the field over which the metric value will be calculated. The underlying type of this field must be
-supported by the specified aggregation type.
+supported by the specified aggregation type.  If using a scripted field via ``metric_agg_script``, this is the name for your scripted field
 
 ``metric_agg_type``: The type of metric aggregation to perform on the ``metric_agg_key`` field. This must be one of 'min', 'max', 'avg',
 'sum', 'cardinality', 'value_count'.
@@ -1336,6 +1336,12 @@ Optional:
 ``query_key``: Group metric calculations by this field. For each unique value of the ``query_key`` field, the metric will be calculated and
 evaluated separately against the threshold(s).
 
+``metric_agg_script``: A `Painless` formatted script describing how to calculate your metric on-the-fly::
+
+    metric_agg_key: myScriptedMetric
+    metric_agg_script:
+        script: doc['field1'].value * doc['field2'].value
+
 ``min_doc_count``: The minimum number of events in the current window needed for an alert to trigger.  Used in conjunction with ``query_key``,
 this will only consider terms which in their last ``buffer_time`` had at least ``min_doc_count`` records.  Default 1.
 

elastalert/ruletypes.py

@@ -1088,6 +1088,8 @@ def get_match_str(self, match):
         return message
 
     def generate_aggregation_query(self):
+        if self.rules.get('metric_agg_script'):
+            return {self.metric_key: {self.rules['metric_agg_type']: self.rules['metric_agg_script']}}
         query = {self.metric_key: {self.rules['metric_agg_type']: {'field': self.rules['metric_agg_key']}}}
         if self.rules['metric_agg_type'] in self.allowed_percent_aggregations:
             query[self.metric_key][self.rules['metric_agg_type']]['percents'] = [self.rules['percentile_range']]
@@ -1175,7 +1177,7 @@ def __init__(self, *args):
         self.rules['aggregation_query_element'] = self.generate_aggregation_query()
 
     def generate_aggregation_query(self):
-        """Lifted from MetricAggregationRule, added support for scripted fields"""
+        """Lifted from MetricAggregationRule"""
         if self.rules.get('metric_agg_script'):
             return {self.metric_key: {self.rules['metric_agg_type']: self.rules['metric_agg_script']}}
         query = {self.metric_key: {self.rules['metric_agg_type']: {'field': self.rules['metric_agg_key']}}}

tests/rules_test.py

@@ -1261,6 +1261,22 @@ def test_metric_aggregation_complex_query_key_bucket_interval():
     assert rule.matches[1]['sub_qk'] == 'sub_qk_val1'
 
 
+def test_metric_aggregation_scripted():
+    script_body = "doc['some_threshold'].value - doc['cpu_pct'].value"
+    rules = {'buffer_time': datetime.timedelta(minutes=5),
+             'timestamp_field': '@timestamp',
+             'metric_agg_type': 'avg',
+             'metric_agg_key': 'cpu_pct',
+             'metric_agg_script': {"script": script_body},
+             'min_threshold': 0.0}
+
+    rule = MetricAggregationRule(rules)
+    assert rule.rules['aggregation_query_element'] == {'metric_cpu_pct_avg': {'avg': {'script': script_body}}}
+
+    rule.check_matches(datetime.datetime.now(), None, {'metric_cpu_pct_avg': {'value': -0.5}})
+    assert rule.matches[0]['metric_cpu_pct_avg'] == -0.5
+
+
 def test_percentage_match():
     rules = {'match_bucket_filter': {'term': 'term_val'},
              'buffer_time': datetime.timedelta(minutes=5),