问题
Can elastalert be triggered when the sum of a field for all documents that match a query exceeds some value? Say each document has a "price" value - Can elastalert be triggered when the sum of the "price" values over the last day exceeds 200, for example?
Example document:
{
type: "transaction",
price: 20.32
}
Example rule in english:
The sum of all documents where type = 'transaction' over the past hour exceeds 200
回答1:
This is not supported out of the box by ElastAlert.
There's an open issue which is still unresolved yet, as well as a related pull request which hasn't been merged yet.
However, you may be able to modify ElastAlert by yourself by following the steps described in the issue and using the contributed patch. Should be a no brainer.
来源:https://stackoverflow.com/questions/39754790/how-to-have-elastalert-triger-when-the-sum-of-a-field-for-all-documents-that-ma