0

如果在某个时间范围内没有与插入到索引中的模式匹配的记录,我需要让 ElasticSearch 观察程序发出警报,它需要能够在对另一对字段进行分组时执行此操作。即记录将是模式:日期时间戳级别消息客户端站点

它需要检查每个客户端站点的消息匹配“正在运行”(即 Google 地图和 Bing 地图具有相同的地图站点)。我认为现在最好的(?)方法是为每个客户端站点运行一个 wacher。

到目前为止,我有这个,假设应该写入的任务每 20 分钟运行到日志中:

{
  "trigger" : { 
    "schedule" : {
      "interval" : "25m"
    }
  },
  "input" : { 
    "search" : {
      "request" : {
        "search_type" : "count",
        "indices" : "<logstash-{now/d}>",
        "body" : {
          "filtered" : {
            "query" : { 
              "match_phrase" : { "Message" : "Is running" } 
            },
            "filter" : {
              "match" : { "Client" : "Example" } ,
              "match" : { "Site" : "SomeSite" } 
            }

          }
        }
      }
    }
  },
  "condition" : { 
    "script" : "return ctx.payload.hits.total < 1"
  },

  "actions" : { 
    },
    "email_administrator" : {
      "email" : {
        "to" : "me@host.tld",
        "subject" : "Tasks are not running for {{ctx.payload.client}} on their site {{ctx.payload.site}}",
        "body" : "Too many error in the system, see attached data",
        "attach_data" : true,
        "priority" : "high"
      }
    }
  }
}
4

2 回答 2

0

你必须改变你的条件,它支持json格式:

     "condition" : { 
         "script" : "return ctx.payload.hits.total : 1"
                   }

请参考以下链接,

https://www.elastic.co/guide/en/watcher/current/condition.html
于 2016-02-19T09:02:17.753 回答
0

对于任何想在未来如何做到这一点的人来说,一些事情需要在查询中嵌套作为过滤器的一部分,并且匹配成为术语。乐趣!...

{
  "trigger": {
    "schedule": {
      "interval": "25m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "count",
        "indices": "<logstash-{now/d}>",
        "body": {
          "query": {
            "filtered": {
              "query": {
                "match_phrase": {
                  "Message": "Its running"
                }
              },
              "filter": {
                "query": {
                  "term": {
                    "Client": "Example"
                  }
                },
                "query": {
                  "term": {
                    "Site": "SomeSite"
                  }
                },
                "query": {
                  "range": {
                    "event_timestamp": {
                      "gte": "now-25m",
                      "lte": "now"
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "lte": 1
      }
    }
  },

  "actions": {
    "email_administrator": {
      "email": {
        "to": "me@host.tld",
        "subject": "Tasks are not running for {{ctx.payload.client}} on their site {{ctx.payload.site}}",
        "body": "Tasks are not running for {{ctx.payload.client}} on their site {{ctx.payload.site}}",
        "attach_data": true,
        "priority": "high"
      }
    }
  }
}
于 2015-08-20T14:39:30.390 回答