From 5bbcba3d566be4113cd468660c04cac949b7dfe0 Mon Sep 17 00:00:00 2001 From: Hendrik Muhs Date: Mon, 21 Jun 2021 01:37:11 -0700 Subject: [PATCH] [DOCS] enhance transform example with range filter (#74284) enhance transform example using range instead of terms for 5xx error codes --- docs/reference/transform/examples.asciidoc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/reference/transform/examples.asciidoc b/docs/reference/transform/examples.asciidoc index c32be466f60d1..246f4be74af49 100644 --- a/docs/reference/transform/examples.asciidoc +++ b/docs/reference/transform/examples.asciidoc @@ -247,9 +247,9 @@ PUT _transform/suspicious_client_ips "filter": { "term": { "response" : "404"}} }, - "error503" : { - "filter": { - "term": { "response" : "503"}} + "error5xx" : { + "filter": { + "range": { "response" : { "gte": 500, "lt": 600}}} }, "timestamp.min": { "min": { "field": "timestamp" }}, "timestamp.max": { "max": { "field": "timestamp" }}, @@ -273,9 +273,10 @@ PUT _transform/suspicious_client_ips field to synchronize the source and destination indices. The worst case ingestion delay is 60 seconds. <3> The data is grouped by the `clientip` field. -<4> Filter aggregation that counts the occurrences of successful (`200`) -responses in the `response` field. The following two aggregations (`error404` -and `error503`) count the error responses by error codes. +<4> Filter aggregation that counts the occurrences of successful (`200`) +responses in the `response` field. The following two aggregations (`error404` +and `error5xx`) count the error responses by error codes, matching an exact +value or a range of response codes. <5> This `bucket_script` calculates the duration of the `clientip` access based on the results of the aggregation.