Version 7.9
下列是針對flied agent 裡包含特定value去做aggs ,出來的數據判斷說只要小於1就會發去alert,但這邊遇到一個問題,就是該agent 的value 不存在時,就無法判,心中想要的做法是,當在這10分鐘內 agent 是 701398 query 不到資料就發出告警 ,想請問我該如何修改我下列的設定
Watcher 設定
{
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"aggs": {
"agent_total": {
"terms": {
"field": "agent",
"include": [
"701085",
"701657",
"701404",
"701379",
"701398"
],
"order": {
"_count": "desc"
},
"size": 20
}
}
},
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "now-10m"
}
}
}
],
"should": [],
"must_not": []
}
},
"stored_fields": [
"*"
],
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
]
}
}
}
},
"condition": {
"array_compare": {
"ctx.payload.aggregations.agent_total.buckets": {
"path": "doc_count",
"lt": {
"value": 3,
"quantifier": "some"
}
}
}
},
"actions": {
"tg_webhook": {
"webhook": {
"scheme": "https",
"host": "api.telegram.org",
"port": 443,
"method": "post",
"path": "/botdewfkkorekfoker/sendMessage",
"params": {},
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "chat_id=-12eedrfref&text=######### 請確認代理是否掛維護 #########\n {{#ctx.payload.aggregations.agent_total.buckets}} 代理:{{key}} 目前請求數:{{doc_count}} \n {{/ctx.payload.aggregations.agent_total.buckets}} \n #############################"
}
}
}
}
Query Result 示意
{
"_id" : "_inlined__966ecd46-9016-4082-968a-0fddbe7c67a1-2021-06-08T07:45:02.150527Z",
"watch_record" : {
"watch_id" : "_inlined_",
"node" : "iv6bT8pjTUGur9AuZCXdcg",
"state" : "execution_not_needed",
"user" : "elastic",
"status" : {
"state" : {
"active" : true,
"timestamp" : "2021-06-08T07:45:02.149Z"
},
"last_checked" : "2021-06-08T07:45:02.150Z",
"actions" : {
"tg_webhook" : {
"ack" : {
"timestamp" : "2021-06-08T07:45:02.149Z",
"state" : "awaits_successful_execution"
}
}
},
"execution_state" : "execution_not_needed",
"version" : -1
},
"trigger_event" : {
"type" : "manual",
"triggered_time" : "2021-06-08T07:45:02.150Z",
"manual" : {
"schedule" : {
"scheduled_time" : "2021-06-08T07:45:02.150Z"
}
}
},
"input" : {
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
"logstash-*"
],
"rest_total_hits_as_int" : true,
"body" : {
"size" : 0,
"aggs" : {
"agent_total" : {
"terms" : {
"field" : "agent",
"include" : [
"91352",
"90839",
"11111"
],
"order" : {
"_count" : "desc"
},
"size" : 50
}
}
},
"query" : {
"bool" : {
"must" : [ ],
"filter" : [
{
"match_all" : { }
},
{
"range" : {
"@timestamp" : {
"format" : "strict_date_optional_time",
"gte" : "now-10m"
}
}
}
],
"should" : [ ],
"must_not" : [ ]
}
},
"stored_fields" : [
"*"
],
"docvalue_fields" : [
{
"field" : "@timestamp",
"format" : "date_time"
}
]
}
}
}
},
"condition" : {
"array_compare" : {
"ctx.payload.aggregations.agent_total.buckets" : {
"path" : "doc_count",
"lt" : {
"value" : 10,
"quantifier" : "some"
}
}
}
},
"result" : {
"execution_time" : "2021-06-08T07:45:02.150Z",
"execution_duration" : 16,
"input" : {
"type" : "search",
"status" : "success",
"payload" : {
"_shards" : {
"total" : 21,
"failed" : 0,
"successful" : 21,
"skipped" : 0
},
"hits" : {
"hits" : [ ],
"total" : 10000,
"max_score" : null
},
"took" : 14,
"timed_out" : false,
"aggregations" : {
"agent_total" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"doc_count" : 2371,
"key" : 91352
},
{
"doc_count" : 128,
"key" : 90839
}
]
}
}
},
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
"logstash-*"
],
"rest_total_hits_as_int" : true,
"body" : {
"size" : 0,
"aggs" : {
"agent_total" : {
"terms" : {
"field" : "agent",
"include" : [
"91352",
"90839",
"11111"
],
"order" : {
"_count" : "desc"
},
"size" : 50
}
}
},
"query" : {
"bool" : {
"must" : [ ],
"filter" : [
{
"match_all" : { }
},
{
"range" : {
"@timestamp" : {
"format" : "strict_date_optional_time",
"gte" : "now-10m"
}
}
}
],
"should" : [ ],
"must_not" : [ ]
}
},
"stored_fields" : [
"*"
],
"docvalue_fields" : [
{
"field" : "@timestamp",
"format" : "date_time"
}
]
}
}
}
},
"condition" : {
"type" : "array_compare",
"status" : "success",
"met" : false,
"array_compare" : {
"resolved_values" : {
"ctx.payload.aggregations.agent_total.buckets" : [
{
"doc_count" : 2371,
"key" : 91352
},
{
"doc_count" : 128,
"key" : 90839
}
]
}
}
},
"actions" : [ ]
},
"messages" : [ ]
}
}
下列是針對flied agent 裡包含特定value去做aggs ,出來的數據判斷說只要小於1就會發去alert,但這邊遇到一個問題,就是該agent 的value 不存在時,就無法判,心中想要的做法是,當在這10分鐘內 agent 是 701398 query 不到資料就發出告警 ,想請問我該如何修改我下列的設定
Watcher 設定
{
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"aggs": {
"agent_total": {
"terms": {
"field": "agent",
"include": [
"701085",
"701657",
"701404",
"701379",
"701398"
],
"order": {
"_count": "desc"
},
"size": 20
}
}
},
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "now-10m"
}
}
}
],
"should": [],
"must_not": []
}
},
"stored_fields": [
"*"
],
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
]
}
}
}
},
"condition": {
"array_compare": {
"ctx.payload.aggregations.agent_total.buckets": {
"path": "doc_count",
"lt": {
"value": 3,
"quantifier": "some"
}
}
}
},
"actions": {
"tg_webhook": {
"webhook": {
"scheme": "https",
"host": "api.telegram.org",
"port": 443,
"method": "post",
"path": "/botdewfkkorekfoker/sendMessage",
"params": {},
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "chat_id=-12eedrfref&text=######### 請確認代理是否掛維護 #########\n {{#ctx.payload.aggregations.agent_total.buckets}} 代理:{{key}} 目前請求數:{{doc_count}} \n {{/ctx.payload.aggregations.agent_total.buckets}} \n #############################"
}
}
}
}
Query Result 示意
{
"_id" : "_inlined__966ecd46-9016-4082-968a-0fddbe7c67a1-2021-06-08T07:45:02.150527Z",
"watch_record" : {
"watch_id" : "_inlined_",
"node" : "iv6bT8pjTUGur9AuZCXdcg",
"state" : "execution_not_needed",
"user" : "elastic",
"status" : {
"state" : {
"active" : true,
"timestamp" : "2021-06-08T07:45:02.149Z"
},
"last_checked" : "2021-06-08T07:45:02.150Z",
"actions" : {
"tg_webhook" : {
"ack" : {
"timestamp" : "2021-06-08T07:45:02.149Z",
"state" : "awaits_successful_execution"
}
}
},
"execution_state" : "execution_not_needed",
"version" : -1
},
"trigger_event" : {
"type" : "manual",
"triggered_time" : "2021-06-08T07:45:02.150Z",
"manual" : {
"schedule" : {
"scheduled_time" : "2021-06-08T07:45:02.150Z"
}
}
},
"input" : {
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
"logstash-*"
],
"rest_total_hits_as_int" : true,
"body" : {
"size" : 0,
"aggs" : {
"agent_total" : {
"terms" : {
"field" : "agent",
"include" : [
"91352",
"90839",
"11111"
],
"order" : {
"_count" : "desc"
},
"size" : 50
}
}
},
"query" : {
"bool" : {
"must" : [ ],
"filter" : [
{
"match_all" : { }
},
{
"range" : {
"@timestamp" : {
"format" : "strict_date_optional_time",
"gte" : "now-10m"
}
}
}
],
"should" : [ ],
"must_not" : [ ]
}
},
"stored_fields" : [
"*"
],
"docvalue_fields" : [
{
"field" : "@timestamp",
"format" : "date_time"
}
]
}
}
}
},
"condition" : {
"array_compare" : {
"ctx.payload.aggregations.agent_total.buckets" : {
"path" : "doc_count",
"lt" : {
"value" : 10,
"quantifier" : "some"
}
}
}
},
"result" : {
"execution_time" : "2021-06-08T07:45:02.150Z",
"execution_duration" : 16,
"input" : {
"type" : "search",
"status" : "success",
"payload" : {
"_shards" : {
"total" : 21,
"failed" : 0,
"successful" : 21,
"skipped" : 0
},
"hits" : {
"hits" : [ ],
"total" : 10000,
"max_score" : null
},
"took" : 14,
"timed_out" : false,
"aggregations" : {
"agent_total" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"doc_count" : 2371,
"key" : 91352
},
{
"doc_count" : 128,
"key" : 90839
}
]
}
}
},
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
"logstash-*"
],
"rest_total_hits_as_int" : true,
"body" : {
"size" : 0,
"aggs" : {
"agent_total" : {
"terms" : {
"field" : "agent",
"include" : [
"91352",
"90839",
"11111"
],
"order" : {
"_count" : "desc"
},
"size" : 50
}
}
},
"query" : {
"bool" : {
"must" : [ ],
"filter" : [
{
"match_all" : { }
},
{
"range" : {
"@timestamp" : {
"format" : "strict_date_optional_time",
"gte" : "now-10m"
}
}
}
],
"should" : [ ],
"must_not" : [ ]
}
},
"stored_fields" : [
"*"
],
"docvalue_fields" : [
{
"field" : "@timestamp",
"format" : "date_time"
}
]
}
}
}
},
"condition" : {
"type" : "array_compare",
"status" : "success",
"met" : false,
"array_compare" : {
"resolved_values" : {
"ctx.payload.aggregations.agent_total.buckets" : [
{
"doc_count" : 2371,
"key" : 91352
},
{
"doc_count" : 128,
"key" : 90839
}
]
}
}
},
"actions" : [ ]
},
"messages" : [ ]
}
}
0 个回复