Unexpected results with top_count_keys and only one hit

[jmacdone]

The top_events_%s keys are not populated when there is only one matching result. Maybe the conditional linked below should return something more like return {endtime: 1} if the res['hits']['total']['value'] == 1 ? Or, something else long those lines, rather than returning just an empty dictionary?

https://github.com/jertel/elastalert2/blob/master/elastalert/elastalert.py#L503

https://github.com/jertel/elastalert2/commit/9f216ed8ca149b92a6c853b65598615cda514029#diff-de8c5a47817fa23d1afa305e6d3c3e8ee717e7236c4278a57df4ab30d4ecddcaR272

[jertel]

Good idea. The value for endtime likely needs to be a list in order for the rest of the get_top_counts() code to work, but yes, similar to your proposal. Feel free to submit a PR if this is important to you. Be sure to read the contribution guidelines first.

[jmacdone]

I think it's more likely than not this was patched up with #1330. I'm getting aggregations back even for single matches (now that the filters built from query_keys are working). Closing.