A typical use case we have is related to alerting based on collected logs in Opensearch.
We want to alert only when there is some critcial event X AND there was NO other event Y within the same time frame.
We are almost getting there by creating an alert rule that has multiple queries:
- Query A , Reduce Expression B , Math Expression C ( $B > 0 )
- Query E, Reduce Expression F, Math Expression G ( $F > 0 )
- Alert Condition is another Expression: $C > 0 && $G != 1
The problem is that with the OpenSearch Query we are querying for some specific terms. If these terms do not exist, Query E is returning no_data.
All the math expressions are not doing anything with no_data. For example if we could use an expression like is_null($F) it was solved. But now, this does not work when one of the queries is returning no_data.
Any idea how this could be solved?