Elastalert在一个文件中简化了多个规则 [英] Elastalert simplified multiple rules in one file
问题描述
我正在为心跳编写 Elastalart 规则,即,如果服务或机器出现故障,我应该得到通知.现在,我可以为每个文件创建一个服务规则,如下所示.
I'm writing Elastalart rules for heartbeat i.e if service or machine are/is down, I should get notified. Right now I can create one rule for service per one file like below.
name: My Alert
type: frequency
index: heartbeat-*
num_events: 5
timeframe:
minutes: 2
filter:
- query:
query_string:
query: "url.domain: MY_LOCALHOST01.local AND monitor.status: down"
alert:
- "email"
email:
- "user@example.in"
有什么办法,我可以指定多个规则吗?...我可以指定以下多个过滤器
Is there any way, can I specify multiple rules??... I can specify multiple filter like below
...
filter:
- query: # Filter 1
query_string:
query: "url.domain: MY_LOCALHOST01.local AND monitor.status: down"
- query: # Filter 2
query_string:
query: "url.domain: MY_LOCALHOST02.local AND monitor.status: down"
...
但是Elatalert考虑在所有过滤器上使用 num_events .例如,我不想对诸如 Filter 1 获得3次点击和 Filter 2 获得2次点击(即3 + 2 = 5等于num_events .
But Elatalert consider num_events on ALL filters. For example, I dont want to get alert for situation like Filter 1 got 3 hits and Filter 2 got 2 hits i.e 3+2=5 which is equal to num_events.
那么, num_events 有什么方法可以检查每个过滤器?例如,如果 Filter 1 获得5次点击,而 Filter 2 获得3次点击,那么我可以确认 MY_LOCALHOST01 确实处于关闭状态并发送警报.
So, is there any ways the num_events should check per filter? like if Filter 1 got 5 hits and Filter 2 got 3 hits, then I can confirm MY_LOCALHOST01 is really DOWN and send alert.
我不要多个文件.很难管理/修改.
I don't want multiple files. It would be hard to manage/modify.
推荐答案
我建议您在进行此操作之前先考虑一下.
I would suggest you to think before doing this.
要获得预期的结果:
-
将
rule_type设置为更改,而不是频率
保持相同的时间范围.
状态上的状态,请检查它是否 down
在 monitor 字段上设置过滤器.
将 alert 设置为POST
您可以拥有自己的后端API,您可以将其重定向到该API-您可以发送已更改的整个文档-通过它可以识别哪个 domain 已关闭.后端API可以向哪个域关闭的索引写入索引.密钥名称是 domain_name .您可以增加一种反制的东西.我不确定我们是否也可以直接发布ES.但是文档说任何接受JSON的端点.
You can have your own backend API to which you can redirect - You can send the entire document which got changed - Through which you can identify which domain is down. Backend API can write to an index which domain is down. Key name is domain_name. You can keep a counter kind of thing to increase. I am not sure whether we can directly post too ES. But documentation says any end point which accepts JSON.
现在,在新索引上设置了 frequency 规则.将过滤器设置为 OR - domain1_down:5 OR domain2_down:5 .您可以具有相同的电子邮件警报.但是您需要从 key 导出哪个域,或者可以在索引中再有一个字段供警报使用.
Now you have your frequencyrule set on the new index. Have your filters as OR - domain1_down : 5 OR domain2_down:5. You can have your same email alerting. But you need to derive which domain from the key or you can have one more field in the index to be used by alerting.
最棘手的是,您的配置说您想在2分钟的时间内找到5个域的停机时间
通过上述步骤,您可以发现它是否下降了5次.但不在2分钟内.我想您可以通过在额外索引中保留字段 previous_down_time 来实现这一目标.
By using the aforementioned steps, you can find whether it went down 5 times. But not within 2 minutes time frame. I guess that you can achieve that by keeping a field previous_down_time in the extra index.
这是实现所需目标的较难方法.我认为没有比维护单独的文件更好的方法了.那并不比这难.
It's harder way to achieve what is needed. I don't think there is no other better way than maintaining separate files. That is not harder than this.
这篇关于Elastalert在一个文件中简化了多个规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
