我想设置一个警报,以便在出现尖峰时通知我。我的数据结构如下:
"_source": {
"@timestamp": 2016-11-23T18:30:45.233Z,
"invalid_request": 400,
"total_request": 40000
}
我想设置一个峰值警报,如果无效请求比率在 20 分钟内达到峰值,则向我发送电子邮件,但以下规则 yaml 没有给我任何打击。
# (Required)
# Rule name, must be unique
name: Invlid Count Spike
# (Required)
# Type of alert.
# (Required)
# Index to search, wildcard supported
index: logstash-*
# (Required one of _cur or _ref, spike specific)
# The minimum number of events that will trigger an alert
threshold_cur: 1
#threshold_ref: 5
# The size of the window used to determine average event frequency
# We use two sliding windows each of size timeframe
# To measure the 'reference' rate and the current rate
timeframe:
minutes: 20
# (Required, spike specific)
# The spike rule matches when the current window contains spike_height times more
# events than the reference window
spike_height: 2
# (Required, spike specific)
# The direction of the spike
# 'up' matches only spikes, 'down' matches only troughs
# 'both' matches both spikes and troughs
spike_type: "both"
# (Required)
# A list of elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/c
urrent/query-dsl.html
script_fields:
invalid_ratio:
script:
doc['invalid_request'].value / doc['total_request'].value
filter:
- range:
invalid_ratio:
gt: 0
# (Required)
# The alert is use when a match is found
alert:
- "email"
# (required, email specific)
# a list of email addresses to send alerts to
email:
- "john.doe@email.com"
我知道我的电子邮件发送工作正常,因为如果我只是输入一个简单的查询(例如当 total_request 大于 0 时触发),它就会发送电子邮件,但我输入的脚本似乎没有按我的预期工作。任何熟悉 elastalarm 的人都会对此事有很大帮助。谢谢。