Skip to content

Instantly share code, notes, and snippets.

@renshuki

renshuki/elasticsearch_watcher_logstash_monitoring_events.md

Last active August 14, 2020 09:51
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save renshuki/4393d0119e90c90573c77e5050d9ba7c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save renshuki/4393d0119e90c90573c77e5050d9ba7c to your computer and use it in GitHub Desktop.
Download ZIP
Elasticsearch Threshold Alert (Watcher) to check Logstash instance monitoring incoming events
Raw
elasticsearch_watcher_logstash_monitoring_events.md

This watcher check every 5 minutes if the number of Logstash monitoring events are below 1 which means Logstash monitoring is in trouble.

"watch" : {
    "trigger" : {
      "schedule" : {
        "interval" : "5m"
      }
    },
    "input" : {
      "search" : {
        "request" : {
          "search_type" : "query_then_fetch",
          "indices" : [
            ".monitoring-logstash-*"
          ],
          "types" : [ ],
          "body" : {
            "size" : 0,
            "query" : {
              "bool" : {
                "filter" : {
                  "range" : {
                    "logstash_stats.timestamp" : {
                      "gte" : "{{ctx.trigger.scheduled_time}}||-5m",
                      "lte" : "{{ctx.trigger.scheduled_time}}",
                      "format" : "strict_date_optional_time||epoch_millis"
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition" : {
      "script" : {
        "source" : "if (ctx.payload.hits.total < params.threshold) { return true; } return false;",
        "lang" : "painless",
        "params" : {
          "threshold" : 1
        }
      }
    },
    "transform" : {
      "script" : {
        "source" : "HashMap result = new HashMap(); result.result = ctx.payload.hits.total; return result;",
        "lang" : "painless",
        "params" : {
          "threshold" : 1
        }
      }
    },
    "actions" : { },
    "metadata" : {
      "name" : "Logstash Check Monitoring Events",
      "watcherui" : {
        "trigger_interval_unit" : "m",
        "agg_type" : "count",
        "time_field" : "logstash_stats.timestamp",
        "trigger_interval_size" : 5,
        "term_size" : 5,
        "time_window_unit" : "m",
        "threshold_comparator" : "<",
        "term_field" : null,
        "index" : [
          ".monitoring-logstash-*"
        ],
        "time_window_size" : 5,
        "threshold" : 1,
        "agg_field" : null
      },
      "xpack" : {
        "type" : "threshold"
      }
    }
  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment