I am attaching my alert json below. > { > "severity": { > "value": "data._value[-1].cpu_usage_round", > "order": "ascending", > "mapping": [ > { > "level": "critical", > "threshold": 10 > } > ] > }, > "checks": [ > { > "type": "search", > "name": "mysearch", > "target": "mysearch", > "request": { > "body": { > "size": 0, > "query": { > "bool": { > "must": [ > { > "range": { > "@timestamp": { > "gte": "now-3m", > "lte": "now" > } > } > } > ] > } > }, > "aggregations": { > "bucketAgg": { > "terms": { > "field": "agent.hostname.keyword", > "size": 500, > "order": { > "metricAgg": "desc" > } > }, > "aggregations": { > "metricAgg": { > "avg": { > "field": "system.load.1" > } > }, > "Account": { > "terms": { > "field": "cloud.account.id.keyword" > } > }, > "ID": { > "terms": { > "field": "cloud.instance.id.keyword" > } > }, > "Region": { > "terms": { > "field": "cloud.region.keyword" > } > }, > "Time": { > "terms": { > "field": "@timestamp" > } > } > } > } > } > }, > "indices": [ > "metricbeateoprodsec-7.17.6-2022.11.17" > ] > } > }, > { > "type": "transform", > "name": "data_normalization", > "source": "def hosts=data.mysearch.aggregations.bucketAgg.buckets;\r\nreturn hosts.stream().filter(h->{ def cpu_usage=h.metricAgg.value; return cpu_usage>10; }).map(h->{def cpu_usage=h.metricAgg.value; def cpu_usage_round=BigDecimal.valueOf(cpu_usage*1).setScale(2, RoundingMode.HALF_EVEN); def acc=h.Account.buckets[0].key; def reg=h.Region.buckets[0].key; def id=h.ID.buckets[0].key; def date=h.Time.buckets[0].key_as_string; return['host': h.key, 'cpu_usage': cpu_usage*1, 'cpu_usage_round': cpu_usage_round, 'acc': acc, 'reg': reg, 'date': date, 'id': id];}).collect(Collectors.toList());", > "lang": "painless" > } > ], > "resolve_actions": [ > { > "type": "index", > "name": "myelasticsearch", > "index": "cpu_alerts_index_crirical_clear", > "checks": [], > "resolves_severity": [ > "critical" > ] > }, > { > "type": "webhook", > "name": "mywebhook", > "request": { > "method": "POST", > "url": "https://rtpcool01lx.msts.ericsson.net:1522/probe/webhook", > "body": "{\n\"Type\": \"Notification,\n\"json.Message.Hostname\": \"{{#data._value}}{{host}},{{/data._value}}\",\n\"Text\": \"Severity level is now {{severity.level}}. The value has decreased from to {{severity.value}}%\",\n\"Message.Region\": \"{{#data._value}}{{reg}},{{/data._value}}\",\n\"Message.AWSAccountId\": \"{{#data._value}}{{acc}},{{/data._value}}\",\n\"Message.StateChangeTime\": \"{{execution_time}}\",\n\"Message.NewStateValue\": \"clear\",\n\"Message.Trigger.MetricName\": \"CPU Utilization %\",\n\"Message.AlarmName\": \"{{#data._value}}{{host}},{{/data._value}}\",\n\"Message.Trigger.Namespace\": \"AWS/EC2\",\n\"Message.AlarmDescription\": \"CPU Utilization % For Hosts\",\n\"Message.Source\": \"ELK\",\n\"Message.Trigger.Dimensions.0.value\": \"{{#data._value}}{{id}},{{/data._value}}\",\n\"Message.Trigger.Threshold\": \"80%\",\n\"Message.NewStateReason\": \"CPU Utilization has breached the threshold {{#data._value}}{{cpu_usage_round}}%,{{/data._value}}\"\n}", > "headers": { > "Content-type": "application/json" > } > }, > "checks": [], > "resolves_severity": [ > "critical" > ] > } > ], > "active": true, > "_meta": { > "last_edit": { > "user": "admin", > "date": "2022-11-17T14:11:09.302Z" > } > }, > "trigger": { > "schedule": { > "interval": [ > "3m" > ], > "timezone": "Europe/Berlin" > } > }, > "_tenant": "_main", > "actions": [ > { > "type": "index", > "name": "myelasticsearch", > "index": "cpu_alerts_index", > "checks": [], > "severity": [ > "critical" > ], > "throttle_period": "1s" > }, > { > "type": "webhook", > "name": "mywebhook", > "request": { > "method": "POST", > "url": "https://rtpcool01lx.msts.ericsson.net:1522/probe/webhook", > "body": " {\n \"Type\": \"Notification\",\n \"Text\": \"{{#data._value}}{{host}},{{/data._value}}\",\n \"Message.Region\": \"{{#data._value}}{{reg}},{{/data._value}}\",\n \"Message.AWSAccountId\": \"{{#data._value}}{{id}},{{/data._value}}\",\n \"Message.StateChangeTime\": \"{{execution_time}}\",\n \"Message.Trigger.MetricName\": \"CPU Utilization %\",\n \"Message.AlarmName\": \"{{#data._value}}{{host}},{{/data._value}}\",\n \"Message.NewStateValue\": \"{{severity.level}}\",\n \"Message.Trigger.Namespace\": \"AWS/EC2\",\n \"Message.AlarmDescription\": \"CPU Utilization % For Hosts\",\n \"Message.Trigger.Dimensions.0.value\": \"{{#data._value}}{{id}},{{/data._value}}\",\n \"Message.Trigger.Threshold\": \"80%\",\n \"Message.Source\": \"ELK\",\n \"Message.NewStateReason\": \"CPU Utilization has breached the threshold {{#data._value}}{{cpu_usage_round}}%,{{/data._value}}\"\n }", > "headers": { > "Content-type": "application/json" > } > }, > "checks": [], > "severity": [ > "critical" > ], > "throttle_period": "1s" > } > ], > "_id": "cpu_critical_alert_watch" > } I will show you how i am getting the data. 1. If i run my ES query for getting all the hosts with CPU load,region,id,account info, here is the output. Output: > { > "watch": { > "id": "__inline_watch", > "tenant": "_main" > }, > "data": { > "mysearch": { > "_shards": { > "total": 10, > "failed": 0, > "successful": 10, > "skipped": 0 > }, > "hits": { > "hits": [], > "total": { > "value": 6161, > "relation": "eq" > }, > "max_score": null > }, > "took": 472, > "timed_out": false, > "aggregations": { > "bucketAgg": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 460, > "key": "069568587955" > } > ] > }, > "doc_count": 460, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 460, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 367, > "buckets": [ > { > "key_as_string": "2022-11-19T10:43:04.712Z", > "doc_count": 14, > "key": 1668854584712 > }, > { > "key_as_string": "2022-11-19T10:45:04.712Z", > "doc_count": 14, > "key": 1668854704712 > }, > { > "key_as_string": "2022-11-19T10:44:04.711Z", > "doc_count": 9, > "key": 1668854644711 > }, > { > "key_as_string": "2022-11-19T10:42:14.710Z", > "doc_count": 8, > "key": 1668854534710 > }, > { > "key_as_string": "2022-11-19T10:42:54.710Z", > "doc_count": 8, > "key": 1668854574710 > }, > { > "key_as_string": "2022-11-19T10:43:14.842Z", > "doc_count": 8, > "key": 1668854594842 > }, > { > "key_as_string": "2022-11-19T10:43:44.710Z", > "doc_count": 8, > "key": 1668854624710 > }, > { > "key_as_string": "2022-11-19T10:43:54.710Z", > "doc_count": 8, > "key": 1668854634710 > }, > { > "key_as_string": "2022-11-19T10:44:24.710Z", > "doc_count": 8, > "key": 1668854664710 > }, > { > "key_as_string": "2022-11-19T10:44:44.710Z", > "doc_count": 8, > "key": 1668854684710 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 460, > "key": "i-0ec89d3c8d8c7b7b6" > } > ] > }, > "metricAgg": { > "value": 0.16666666666666666 > }, > "key": "sdsprodeocmsec203eda1" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 669, > "key": "069568587955" > } > ] > }, > "doc_count": 669, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 669, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 553, > "buckets": [ > { > "key_as_string": "2022-11-19T10:43:58.663Z", > "doc_count": 19, > "key": 1668854638663 > }, > { > "key_as_string": "2022-11-19T10:44:58.664Z", > "doc_count": 19, > "key": 1668854698664 > }, > { > "key_as_string": "2022-11-19T10:42:58.663Z", > "doc_count": 11, > "key": 1668854578663 > }, > { > "key_as_string": "2022-11-19T10:42:18.663Z", > "doc_count": 10, > "key": 1668854538663 > }, > { > "key_as_string": "2022-11-19T10:42:38.663Z", > "doc_count": 10, > "key": 1668854558663 > }, > { > "key_as_string": "2022-11-19T10:44:08.663Z", > "doc_count": 10, > "key": 1668854648663 > }, > { > "key_as_string": "2022-11-19T10:44:18.663Z", > "doc_count": 10, > "key": 1668854658663 > }, > { > "key_as_string": "2022-11-19T10:42:30.396Z", > "doc_count": 9, > "key": 1668854550396 > }, > { > "key_as_string": "2022-11-19T10:42:40.396Z", > "doc_count": 9, > "key": 1668854560396 > }, > { > "key_as_string": "2022-11-19T10:42:50.396Z", > "doc_count": 9, > "key": 1668854570396 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 669, > "key": "i-0bc0cebf5a5f1ee0e" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203core1" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 680, > "key": "069568587955" > } > ] > }, > "doc_count": 680, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 680, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 561, > "buckets": [ > { > "key_as_string": "2022-11-19T10:42:53.432Z", > "doc_count": 14, > "key": 1668854573432 > }, > { > "key_as_string": "2022-11-19T10:43:53.432Z", > "doc_count": 14, > "key": 1668854633432 > }, > { > "key_as_string": "2022-11-19T10:44:53.432Z", > "doc_count": 14, > "key": 1668854693432 > }, > { > "key_as_string": "2022-11-19T10:42:25.160Z", > "doc_count": 11, > "key": 1668854545160 > }, > { > "key_as_string": "2022-11-19T10:42:35.161Z", > "doc_count": 11, > "key": 1668854555161 > }, > { > "key_as_string": "2022-11-19T10:42:45.161Z", > "doc_count": 11, > "key": 1668854565161 > }, > { > "key_as_string": "2022-11-19T10:42:55.160Z", > "doc_count": 11, > "key": 1668854575160 > }, > { > "key_as_string": "2022-11-19T10:43:05.160Z", > "doc_count": 11, > "key": 1668854585160 > }, > { > "key_as_string": "2022-11-19T10:43:15.161Z", > "doc_count": 11, > "key": 1668854595161 > }, > { > "key_as_string": "2022-11-19T10:43:25.160Z", > "doc_count": 11, > "key": 1668854605160 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 680, > "key": "i-0b6edf2d66c0c6450" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203core2" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 352, > "key": "069568587955" > } > ] > }, > "doc_count": 352, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 352, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 274, > "buckets": [ > { > "key_as_string": "2022-11-19T10:42:46.822Z", > "doc_count": 9, > "key": 1668854566822 > }, > { > "key_as_string": "2022-11-19T10:43:46.822Z", > "doc_count": 9, > "key": 1668854626822 > }, > { > "key_as_string": "2022-11-19T10:44:46.822Z", > "doc_count": 9, > "key": 1668854686822 > }, > { > "key_as_string": "2022-11-19T10:43:06.819Z", > "doc_count": 8, > "key": 1668854586819 > }, > { > "key_as_string": "2022-11-19T10:45:06.819Z", > "doc_count": 8, > "key": 1668854706819 > }, > { > "key_as_string": "2022-11-19T10:42:16.819Z", > "doc_count": 7, > "key": 1668854536819 > }, > { > "key_as_string": "2022-11-19T10:42:26.819Z", > "doc_count": 7, > "key": 1668854546819 > }, > { > "key_as_string": "2022-11-19T10:42:36.819Z", > "doc_count": 7, > "key": 1668854556819 > }, > { > "key_as_string": "2022-11-19T10:42:46.819Z", > "doc_count": 7, > "key": 1668854566819 > }, > { > "key_as_string": "2022-11-19T10:42:56.819Z", > "doc_count": 7, > "key": 1668854576819 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 352, > "key": "i-0cfc6029f70f12489" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203cwf1" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 383, > "key": "069568587955" > } > ] > }, > "doc_count": 383, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 383, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 300, > "buckets": [ > { > "key_as_string": "2022-11-19T10:43:51.638Z", > "doc_count": 12, > "key": 1668854631638 > }, > { > "key_as_string": "2022-11-19T10:42:51.638Z", > "doc_count": 11, > "key": 1668854571638 > }, > { > "key_as_string": "2022-11-19T10:44:51.637Z", > "doc_count": 9, > "key": 1668854691637 > }, > { > "key_as_string": "2022-11-19T10:42:21.767Z", > "doc_count": 8, > "key": 1668854541767 > }, > { > "key_as_string": "2022-11-19T10:43:21.768Z", > "doc_count": 8, > "key": 1668854601768 > }, > { > "key_as_string": "2022-11-19T10:42:21.643Z", > "doc_count": 7, > "key": 1668854541643 > }, > { > "key_as_string": "2022-11-19T10:42:31.643Z", > "doc_count": 7, > "key": 1668854551643 > }, > { > "key_as_string": "2022-11-19T10:42:41.643Z", > "doc_count": 7, > "key": 1668854561643 > }, > { > "key_as_string": "2022-11-19T10:42:41.768Z", > "doc_count": 7, > "key": 1668854561768 > }, > { > "key_as_string": "2022-11-19T10:42:51.643Z", > "doc_count": 7, > "key": 1668854571643 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 383, > "key": "i-07b6cefc2446b479c" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203cwf2" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 475, > "key": "069568587955" > } > ] > }, > "doc_count": 475, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 475, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 345, > "buckets": [ > { > "key_as_string": "2022-11-19T10:42:24.716Z", > "doc_count": 14, > "key": 1668854544716 > }, > { > "key_as_string": "2022-11-19T10:44:04.716Z", > "doc_count": 14, > "key": 1668854644716 > }, > { > "key_as_string": "2022-11-19T10:44:14.716Z", > "doc_count": 14, > "key": 1668854654716 > }, > { > "key_as_string": "2022-11-19T10:44:34.716Z", > "doc_count": 14, > "key": 1668854674716 > }, > { > "key_as_string": "2022-11-19T10:42:14.716Z", > "doc_count": 13, > "key": 1668854534716 > }, > { > "key_as_string": "2022-11-19T10:43:24.716Z", > "doc_count": 13, > "key": 1668854604716 > }, > { > "key_as_string": "2022-11-19T10:42:44.716Z", > "doc_count": 12, > "key": 1668854564716 > }, > { > "key_as_string": "2022-11-19T10:42:54.716Z", > "doc_count": 12, > "key": 1668854574716 > }, > { > "key_as_string": "2022-11-19T10:43:14.715Z", > "doc_count": 12, > "key": 1668854594715 > }, > { > "key_as_string": "2022-11-19T10:44:24.715Z", > "doc_count": 12, > "key": 1668854664715 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 475, > "key": "i-06453bf0eefe97c31" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203eda2" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 476, > "key": "069568587955" > } > ] > }, > "doc_count": 476, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 476, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 389, > "buckets": [ > { > "key_as_string": "2022-11-19T10:45:04.715Z", > "doc_count": 11, > "key": 1668854704715 > }, > { > "key_as_string": "2022-11-19T10:43:04.715Z", > "doc_count": 9, > "key": 1668854584715 > }, > { > "key_as_string": "2022-11-19T10:43:04.718Z", > "doc_count": 9, > "key": 1668854584718 > }, > { > "key_as_string": "2022-11-19T10:43:34.718Z", > "doc_count": 9, > "key": 1668854614718 > }, > { > "key_as_string": "2022-11-19T10:44:04.715Z", > "doc_count": 9, > "key": 1668854644715 > }, > { > "key_as_string": "2022-11-19T10:42:14.819Z", > "doc_count": 8, > "key": 1668854534819 > }, > { > "key_as_string": "2022-11-19T10:42:24.820Z", > "doc_count": 8, > "key": 1668854544820 > }, > { > "key_as_string": "2022-11-19T10:42:34.819Z", > "doc_count": 8, > "key": 1668854554819 > }, > { > "key_as_string": "2022-11-19T10:42:44.819Z", > "doc_count": 8, > "key": 1668854564819 > }, > { > "key_as_string": "2022-11-19T10:42:54.820Z", > "doc_count": 8, > "key": 1668854574820 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 476, > "key": "i-0a3e4ab03825849bb" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203eda3" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 288, > "key": "069568587955" > } > ] > }, > "doc_count": 288, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 288, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 220, > "buckets": [ > { > "key_as_string": "2022-11-19T10:43:13.301Z", > "doc_count": 9, > "key": 1668854593301 > }, > { > "key_as_string": "2022-11-19T10:44:13.301Z", > "doc_count": 9, > "key": 1668854653301 > }, > { > "key_as_string": "2022-11-19T10:42:13.302Z", > "doc_count": 8, > "key": 1668854533302 > }, > { > "key_as_string": "2022-11-19T10:42:13.420Z", > "doc_count": 6, > "key": 1668854533420 > }, > { > "key_as_string": "2022-11-19T10:42:33.420Z", > "doc_count": 6, > "key": 1668854553420 > }, > { > "key_as_string": "2022-11-19T10:42:53.420Z", > "doc_count": 6, > "key": 1668854573420 > }, > { > "key_as_string": "2022-11-19T10:43:23.420Z", > "doc_count": 6, > "key": 1668854603420 > }, > { > "key_as_string": "2022-11-19T10:43:43.420Z", > "doc_count": 6, > "key": 1668854623420 > }, > { > "key_as_string": "2022-11-19T10:44:03.420Z", > "doc_count": 6, > "key": 1668854643420 > }, > { > "key_as_string": "2022-11-19T10:44:33.421Z", > "doc_count": 6, > "key": 1668854673421 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 288, > "key": "i-0ce547c1fdc7111ea" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203esa1" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 275, > "key": "069568587955" > } > ] > }, > "doc_count": 275, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 275, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 208, > "buckets": [ > { > "key_as_string": "2022-11-19T10:43:02.453Z", > "doc_count": 9, > "key": 1668854582453 > }, > { > "key_as_string": "2022-11-19T10:44:02.454Z", > "doc_count": 8, > "key": 1668854642454 > }, > { > "key_as_string": "2022-11-19T10:45:02.453Z", > "doc_count": 8, > "key": 1668854702453 > }, > { > "key_as_string": "2022-11-19T10:42:32.507Z", > "doc_count": 6, > "key": 1668854552507 > }, > { > "key_as_string": "2022-11-19T10:42:52.507Z", > "doc_count": 6, > "key": 1668854572507 > }, > { > "key_as_string": "2022-11-19T10:43:02.507Z", > "doc_count": 6, > "key": 1668854582507 > }, > { > "key_as_string": "2022-11-19T10:43:22.507Z", > "doc_count": 6, > "key": 1668854602507 > }, > { > "key_as_string": "2022-11-19T10:43:32.507Z", > "doc_count": 6, > "key": 1668854612507 > }, > { > "key_as_string": "2022-11-19T10:44:02.507Z", > "doc_count": 6, > "key": 1668854642507 > }, > { > "key_as_string": "2022-11-19T10:44:12.507Z", > "doc_count": 6, > "key": 1668854652507 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 275, > "key": "i-019d28551c82f0031" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203esa2" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 343, > "key": "069568587955" > } > ] > }, > "doc_count": 343, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 343, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 262, > "buckets": [ > { > "key_as_string": "2022-11-19T10:43:08.950Z", > "doc_count": 12, > "key": 1668854588950 > }, > { > "key_as_string": "2022-11-19T10:44:08.951Z", > "doc_count": 10, > "key": 1668854648951 > }, > { > "key_as_string": "2022-11-19T10:45:08.950Z", > "doc_count": 10, > "key": 1668854708950 > }, > { > "key_as_string": "2022-11-19T10:42:18.954Z", > "doc_count": 7, > "key": 1668854538954 > }, > { > "key_as_string": "2022-11-19T10:42:28.954Z", > "doc_count": 7, > "key": 1668854548954 > }, > { > "key_as_string": "2022-11-19T10:42:29.064Z", > "doc_count": 7, > "key": 1668854549064 > }, > { > "key_as_string": "2022-11-19T10:42:38.954Z", > "doc_count": 7, > "key": 1668854558954 > }, > { > "key_as_string": "2022-11-19T10:42:48.953Z", > "doc_count": 7, > "key": 1668854568953 > }, > { > "key_as_string": "2022-11-19T10:42:58.954Z", > "doc_count": 7, > "key": 1668854578954 > }, > { > "key_as_string": "2022-11-19T10:42:59.065Z", > "doc_count": 7, > "key": 1668854579065 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 343, > "key": "i-04ec1a5ffc07d60c3" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203nso1" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 337, > "key": "069568587955" > } > ] > }, > "doc_count": 337, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 337, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 231, > "buckets": [ > { > "key_as_string": "2022-11-19T10:42:51.999Z", > "doc_count": 17, > "key": 1668854571999 > }, > { > "key_as_string": "2022-11-19T10:43:51.999Z", > "doc_count": 17, > "key": 1668854631999 > }, > { > "key_as_string": "2022-11-19T10:44:51.999Z", > "doc_count": 16, > "key": 1668854691999 > }, > { > "key_as_string": "2022-11-19T10:42:21.999Z", > "doc_count": 8, > "key": 1668854541999 > }, > { > "key_as_string": "2022-11-19T10:42:31.999Z", > "doc_count": 8, > "key": 1668854551999 > }, > { > "key_as_string": "2022-11-19T10:42:41.999Z", > "doc_count": 8, > "key": 1668854561999 > }, > { > "key_as_string": "2022-11-19T10:43:11.999Z", > "doc_count": 8, > "key": 1668854591999 > }, > { > "key_as_string": "2022-11-19T10:43:21.999Z", > "doc_count": 8, > "key": 1668854601999 > }, > { > "key_as_string": "2022-11-19T10:43:42.125Z", > "doc_count": 8, > "key": 1668854622125 > }, > { > "key_as_string": "2022-11-19T10:44:01.999Z", > "doc_count": 8, > "key": 1668854641999 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 337, > "key": "i-05b1cddc14b8ff32c" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203nso2" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 477, > "key": "069568587955" > } > ] > }, > "doc_count": 477, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 477, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 380, > "buckets": [ > { > "key_as_string": "2022-11-19T10:45:07.931Z", > "doc_count": 12, > "key": 1668854707931 > }, > { > "key_as_string": "2022-11-19T10:43:07.930Z", > "doc_count": 11, > "key": 1668854587930 > }, > { > "key_as_string": "2022-11-19T10:44:07.930Z", > "doc_count": 11, > "key": 1668854647930 > }, > { > "key_as_string": "2022-11-19T10:42:18.039Z", > "doc_count": 9, > "key": 1668854538039 > }, > { > "key_as_string": "2022-11-19T10:42:28.038Z", > "doc_count": 9, > "key": 1668854548038 > }, > { > "key_as_string": "2022-11-19T10:42:38.039Z", > "doc_count": 9, > "key": 1668854558039 > }, > { > "key_as_string": "2022-11-19T10:42:48.038Z", > "doc_count": 9, > "key": 1668854568038 > }, > { > "key_as_string": "2022-11-19T10:42:58.039Z", > "doc_count": 9, > "key": 1668854578039 > }, > { > "key_as_string": "2022-11-19T10:43:08.038Z", > "doc_count": 9, > "key": 1668854588038 > }, > { > "key_as_string": "2022-11-19T10:43:18.038Z", > "doc_count": 9, > "key": 1668854598038 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 477, > "key": "i-08560f9bdd8a60cd2" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203rdb1" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 472, > "key": "069568587955" > } > ] > }, > "doc_count": 472, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 472, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 379, > "buckets": [ > { > "key_as_string": "2022-11-19T10:42:56.621Z", > "doc_count": 10, > "key": 1668854576621 > }, > { > "key_as_string": "2022-11-19T10:43:56.621Z", > "doc_count": 10, > "key": 1668854636621 > }, > { > "key_as_string": "2022-11-19T10:44:56.621Z", > "doc_count": 10, > "key": 1668854696621 > }, > { > "key_as_string": "2022-11-19T10:42:26.719Z", > "doc_count": 9, > "key": 1668854546719 > }, > { > "key_as_string": "2022-11-19T10:42:56.720Z", > "doc_count": 9, > "key": 1668854576720 > }, > { > "key_as_string": "2022-11-19T10:43:26.720Z", > "doc_count": 9, > "key": 1668854606720 > }, > { > "key_as_string": "2022-11-19T10:43:36.719Z", > "doc_count": 9, > "key": 1668854616719 > }, > { > "key_as_string": "2022-11-19T10:44:16.719Z", > "doc_count": 9, > "key": 1668854656719 > }, > { > "key_as_string": "2022-11-19T10:44:36.720Z", > "doc_count": 9, > "key": 1668854676720 > }, > { > "key_as_string": "2022-11-19T10:44:46.720Z", > "doc_count": 9, > "key": 1668854686720 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 472, > "key": "i-07a400a8b31e53f93" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203rdb2" > }, > { > "Account": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 474, > "key": "069568587955" > } > ] > }, > "doc_count": 474, > "Region": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 474, > "key": "us-east-1" > } > ] > }, > "Time": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 374, > "buckets": [ > { > "key_as_string": "2022-11-19T10:44:08.443Z", > "doc_count": 15, > "key": 1668854648443 > }, > { > "key_as_string": "2022-11-19T10:43:08.442Z", > "doc_count": 11, > "key": 1668854588442 > }, > { > "key_as_string": "2022-11-19T10:45:08.442Z", > "doc_count": 11, > "key": 1668854708442 > }, > { > "key_as_string": "2022-11-19T10:42:28.540Z", > "doc_count": 9, > "key": 1668854548540 > }, > { > "key_as_string": "2022-11-19T10:42:48.539Z", > "doc_count": 9, > "key": 1668854568539 > }, > { > "key_as_string": "2022-11-19T10:42:58.540Z", > "doc_count": 9, > "key": 1668854578540 > }, > { > "key_as_string": "2022-11-19T10:43:08.540Z", > "doc_count": 9, > "key": 1668854588540 > }, > { > "key_as_string": "2022-11-19T10:43:28.540Z", > "doc_count": 9, > "key": 1668854608540 > }, > { > "key_as_string": "2022-11-19T10:43:38.540Z", > "doc_count": 9, > "key": 1668854618540 > }, > { > "key_as_string": "2022-11-19T10:44:08.540Z", > "doc_count": 9, > "key": 1668854648540 > } > ] > }, > "ID": { > "doc_count_error_upper_bound": 0, > "sum_other_doc_count": 0, > "buckets": [ > { > "doc_count": 474, > "key": "i-0276e12838f8726af" > } > ] > }, > "metricAgg": { > "value": 0 > }, > "key": "sdsprodeocmsec203rdb3" > } > ] > } > } > } > }, > "severity": null, > "trigger": { > "triggered_time": null, > "scheduled_time": null, > "previous_scheduled_time": null, > "next_scheduled_time": null > }, > "execution_time": "2022-11-19T10:45:12.778095084Z" > } > Blockquote`Preformatted text` 2. On this data, I have included tranform as shown below and here is the output. i have taken the threshold as 0 here just to show you. Code: > { > "type": "transform", > "name": "data_normalization", > "source": "def hosts=data.mysearch.aggregations.bucketAgg.buckets;\r\nreturn hosts.stream().filter(h->{ def cpu_usage=h.metricAgg.value; return cpu_usage>0; }).map(h->{def cpu_usage=h.metricAgg.value; def cpu_usage_round=BigDecimal.valueOf(cpu_usage*1).setScale(2, RoundingMode.HALF_EVEN); def acc=h.Account.buckets[0].key; def reg=h.Region.buckets[0].key; def id=h.ID.buckets[0].key; def date=h.Time.buckets[0].key_as_string; return['host': h.key, 'cpu_usage': cpu_usage*1, 'cpu_usage_round': cpu_usage_round, 'acc': acc, 'reg': reg, 'date': date, 'id': id];}).collect(Collectors.toList());", > "lang": "painless" > } Output: > { > "watch": { > "id": "__inline_watch", > "tenant": "_main" > }, > "data": { > "_value": [ > { > "acc": "069568587955", > "date": "2022-11-19T10:34:53.432Z", > "reg": "us-east-1", > "host": "sdsprodeocmsec203core2", > "id": "i-0b6edf2d66c0c6450", > "cpu_usage": 0.1111111111111111, > "cpu_usage_round": 0.11 > }, > { > "acc": "069568587955", > "date": "2022-11-19T10:34:04.712Z", > "reg": "us-east-1", > "host": "sdsprodeocmsec203eda1", > "id": "i-0ec89d3c8d8c7b7b6", > "cpu_usage": 0.06666666666666667, > "cpu_usage_round": 0.07 > } > ] > }, > "severity": null, > "trigger": { > "triggered_time": null, > "scheduled_time": null, > "previous_scheduled_time": null, > "next_scheduled_time": null > }, > "execution_time": "2022-11-19T10:48:29.422968107Z" > } Now i want to send this alert with severity critical. Can you guide me what field should i write under severity option?