Creating Customer Trigger Condition

Hi,

I built monitor where condition “Status” != “Reached” and “Gateway” == “ABC”. This condition is working fine.
I want to know about creating Trigger condition for a monitor.

monitor condition-

{
    "size": 0,
    "query": {
        "bool": {
            "filter": [
                {
                    "range": {
                        "@timestamp": {
                            "from": "{{period_end}}||-1h",
                            "to": "{{period_end}}",
                            "include_lower": true,
                            "include_upper": true,
                            "format": "epoch_millis",
                            "boost": 1
                        }
                    }
                },
                {
                    "bool": {
                        "must_not": [
                            {
                                "match_phrase": {
                                    "STATUS": {
                                        "query": "Reached",
                                        "slop": 0,
                                        "zero_terms_query": "NONE",
                                        "boost": 1
                                    }
                                }
                            }
                        ],
                        "adjust_pure_negative": true,
                        "boost": 1
                    }
                },
                {
                    "match_phrase": {
                        "Gateway": {
                            "query": "ABC",
                            "slop": 0,
                            "zero_terms_query": "NONE",
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    },
    "aggregations": {}
}

Trigger condition-
Generate trigger when (status != “Reached” / total docs count) for “Gateway” == “ABC” is greater than 5%.

Any thoughts/guidance would be really appreciated.

Thank you in Advance.

Hi

I changed the Monitor condition to get total docs in monitor condition along with Status values as aggregation bucket.

Updated Monitor Condition-

{
    "size": 0,
    "query": {
        "bool": {
            "filter": [
                {
                    "range": {
                        "@timestamp": {
                            "from": "{{period_end}}||-60d",
                            "to": "{{period_end}}",
                            "include_lower": true,
                            "include_upper": true,
                            "format": "epoch_millis",
                            "boost": 1
                        }
                    }
                },
                {
                    "query_string": {
                        "query": "*ABC*",
                        "default_field": "mstrGateway",
                        "fields": [],
                        "type": "best_fields",
                        "default_operator": "or",
                        "max_determinized_states": 10000,
                        "enable_position_increments": true,
                        "fuzziness": "AUTO",
                        "fuzzy_prefix_length": 0,
                        "fuzzy_max_expansions": 50,
                        "phrase_slop": 0,
                        "escape": false,
                        "auto_generate_synonyms_phrase_query": true,
                        "fuzzy_transpositions": true,
                        "boost": 1
                    }
                },
                {
                    "exists": {
                        "field": "STAT",
                        "boost": 1
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    },
    "aggregations": {
        "total_docs": {
            "terms": {
                "field": "STAT.keyword",
                "size": 10,
                "min_doc_count": 1,
                "shard_min_doc_count": 0,
                "show_term_doc_count_error": false,
                "order": [
                    {
                        "_count": "desc"
                    },
                    {
                        "_key": "asc"
                    }
                ]
            }
        }
    }
}

Output-

{
    "_shards": {
        "total": 1,
        "failed": 0,
        "successful": 1,
        "skipped": 0
    },
    "hits": {
        "hits": [],
        "total": {
            "value": 7598,
            "relation": "eq"
        },
        "max_score": null
    },
    "took": 2,
    "timed_out": false,
    "aggregations": {
        "total_docs": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
                {
                    "doc_count": 6929,
                    "key": "DELIVRD"
                },
                {
                    "doc_count": 327,
                    "key": "UNDELIV"
                },
                {
                    "doc_count": 223,
                    "key": "EXPIRED"
                },
                {
                    "doc_count": 118,
                    "key": "REJECTD"
                },
                {
                    "doc_count": 1,
                    "key": "UNKNOWN"
                }
            ]
        }
    }
}

I need to set trigger condition where (“DELIVRD”/“total_docs”)*100 < 0.95 then triggered condition is “true”.

Pls let me know if it’s possible.

Snap-