我想在我的索引中出现任何具有 loglevel ERROR 的日志时立即向通道发送 Slack 通知。我已经通过以下方式配置了观察者,但它给了我错误。松弛消息必须有日志消息。我无法准确配置它。
{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"index-log*",
"index-beat*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"match": {
"loglevel": "ERROR"
},
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-5m",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_trigger": {
"webhook": {
"scheme": "https",
"host": "hooks.slack.com",
"port": 443,
"method": "post",
"path": "/services/XXXX/XXXX/XXXX",
"params": {},
"headers": {
"Content-type": "application/json"
},
"body": """{ "text": "{{ctx.payload}}"}"""
}
}
}
}
以下是我在 kibana 中的日志结构
{
"_index": "index-beat",
"_type": "_doc",
"_id": "P3Toa34B1LVeuWotaVOY",
"_version": 1,
"_score": 1,
"_source": {
"@timestamp": "2022-01-18T06:38:19.559Z",
"name": "communication",
"loglevel": "ERROR",
"log": {
"file": {
"path": "/home/ubuntu/abc/abc/logs/communication.log"
},
"offset": 0
},
"timestamp": "2022-01-18T06:38:15.384279",
"exception": {
"ex_type": "None",
"ex": "None",
"tb": ""
},
"message": "{'err': 'Test'}"
},
"fields": {
"exception.ex_type": [
"None"
],
"loglevel.keyword": [
"ERROR"
],
"name.keyword": [
"communication"
],
"log.offset": [
0
],
"message": [
"{'err': 'Test'}"
],
"exception.tb": [
""
],
"exception.ex": [
"None"
],
"@timestamp": [
"2022-01-18T06:38:19.559Z"
],
"exception.tb.keyword": [
""
],
"loglevel": [
"ERROR"
],
"log.file.path": [
"/home/ubuntu/abc/abc/logs/communication.log"
],
"message.keyword": [
"{'err': 'Test'}"
],
"name": [
"communication"
],
"exception.ex_type.keyword": [
"None"
],
"exception.ex.keyword": [
"None"
],
"log.file.path.keyword": [
"/home/ubuntu/abc/abc/logs/communication.log"
],
"timestamp": [
"2022-01-18T06:38:15.384Z"
]
}
}
请帮我解决这个问题。