Skip to content

Instantly share code, notes, and snippets.

@nberger
Last active December 18, 2018 03:19
Show Gist options
  • Save nberger/fc636d8c2712b38a39f5 to your computer and use it in GitHub Desktop.
Save nberger/fc636d8c2712b38a39f5 to your computer and use it in GitHub Desktop.
riemann - send email when there are more than 5 critical events every 30 seconds
; http://stackoverflow.com/questions/31269170/event-count-at-certain-time-interval-in-riemann
(let [email (mailer {:host "localhost"
:port 1025
:from "[email protected]"})]
(streams
(where (and (service "system_log")
(description "IE")
(not (expired? event)))
; we are interested in the event count, so let's fix to :metric 1
(with :metric 1
; measure the rate in a 30 seconds interval
(rate 30
; we want the rate per half minutes
(scale 30
; for debugging
prn
; when there were more than 5 events
(where (> metric 5)
; change the status to this value
(with {:status "login failures"}
; for debugging
prn
; send email
(email "[email protected]")))))))))
@Rajeshkumar123
Copy link

I used rate and scale but it didn't works for me. May be I am using it in wrong way.The above edited code is working by using fixed-time-window itseld but it triggering email for N number of condition satisfied with in 30 sec(for eg.If my condition was true for 10 times within that 30 sec means 10 emails got triggered). I want only one email at the end of every 30sec if the condition is satisfied. If no event matches my condition within 30sec interval means no email should trigger. I pasted my latest code.

(let [email (mailer {...})](streams
%28where %28and %28service)
(not (expired? event)))
(fixed-time-window
30
(smap
(fn [events](let [count-of-failures %28count %28filter #%28= "IE" %28:description %)) events))]
(events
{:status "login failures"
:metric count-of-failures
:total-fail (> count-of-failures 5)
})))

(where (and (= (:status event) "login failures")
                  (:total-fail event))
(email "[email protected]")))))))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment