Elasticsearch查询未接收数据

z2acfund 于 2023-08-03 发布在 ElasticSearch

关注(0)|答案(1)|浏览(93)

我们正在使用metricbeat监控多个服务器。我们希望在任何服务器中停止metricbeat时创建警报。如果从最近5分钟起没有从该服务器接收到数据，则意味着该服务器中的metricbeat停止。
我想知道此警报的查询内容。

PUT _watcher/watch/eba1f994-1306-4846-b586-5a2c6135b4bc
{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "servers": {
              "terms": {
                "field": "tags",
                "size": 1000,
                "min_doc_count": 0
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "array_compare": {
      "ctx.payload.aggregations.servers.buckets": {
        "path": "doc_count",
        "eq": {
          "value": 0,
          "quantifier": "some"
        }
      }
    }
  },
  "actions": {
    "my-logging-action": {
      "logging": {
        "level": "info",
        "text": "This servers are not sending data: {{#ctx.payload.aggregations.servers.buckets}} {{key}} {{doc_count}},{{/ctx.payload.aggregations.servers.buckets}}"
      }
    }
  },

字符串

elasticsearch

来源：https://stackoverflow.com/questions/76609884/elasticsearch-query-for-not-receiving-data

1条答案

按热度按时间

hts6caw31#

您可以使用如下的监视器配置：

PUT _watcher/watch/metric_check
{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": "your_index_name_or_index_pattern",
        "types": "count",
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "servers": {
              "terms": {
                "field": "server_host_or_ip_field_name",
                "size": 100,
                "min_doc_count": 0
              },
              "aggs": {
                "the_filter": {
                  "bucket_selector": {
                    "buckets_path": {
                      "the_doc_count": "_count"
                    },
                    "script": "params.the_doc_count < 1"
                  }
                }
              }
            }
          },
          "size": 1
        }
      }
    }
  },
   "condition": {
      "array_compare": {
        "ctx.payload.aggregations.servers.buckets": {
          "path": "doc_count",
          "eq": {
             "value": 0
          }
        }
      }
    },
  "actions": {
    "send_email": { 
      "email": {
        "to": "<username>@<domainname>", 
        "subject": "Watcher Notification - MetricBeat no data",
        "body": "This servers are not sending data: {{#ctx.payload.aggregations.servers.buckets}} {{key}},{{/ctx.payload.aggregations.servers.buckets}}"
      }
    }
  }
}

字符串
请参阅Array Comapre Condition和Email Action文档以了解更多详细信息。

**注意：**我没有验证配置，但应该可以。

赞(0）回复(0）举报 2023-08-03

我来回答

Elasticsearch查询未接收数据

1条答案

相关问题

热门标签

最新问答