如果在时间范围内没有与插入到索引中的模式匹配的记录,我需要让ElasticSearch观察者发出警报,它需要能够在另一对字段上进行分组时执行此操作。 即记录将具有以下模式: 日期时间戳级别消息客户端站点
需要检查每个客户网站的消息是否“正在运行”(即Google地图和Bing地图具有相同的地图网站)。我现在最好的(?)方式就是为每个客户站点运行一个wacher。
Sofar我有这个,假设应该写的任务每隔20分钟就会运行到日志中:
{
"trigger" : {
"schedule" : {
"interval" : "25m"
}
},
"input" : {
"search" : {
"request" : {
"search_type" : "count",
"indices" : "<logstash-{now/d}>",
"body" : {
"filtered" : {
"query" : {
"match_phrase" : { "Message" : "Is running" }
},
"filter" : {
"match" : { "Client" : "Example" } ,
"match" : { "Site" : "SomeSite" }
}
}
}
}
}
},
"condition" : {
"script" : "return ctx.payload.hits.total < 1"
},
"actions" : {
},
"email_administrator" : {
"email" : {
"to" : "me@host.tld",
"subject" : "Tasks are not running for {{ctx.payload.client}} on their site {{ctx.payload.site}}",
"body" : "Too many error in the system, see attached data",
"attach_data" : true,
"priority" : "high"
}
}
}
}
答案 0 :(得分:0)
对于任何想要在未来如何做到这一点的人来说,有些事情需要在查询中嵌套作为过滤器的一部分,匹配就成了术语。有趣!...
{
"trigger": {
"schedule": {
"interval": "25m"
}
},
"input": {
"search": {
"request": {
"search_type": "count",
"indices": "<logstash-{now/d}>",
"body": {
"query": {
"filtered": {
"query": {
"match_phrase": {
"Message": "Its running"
}
},
"filter": {
"query": {
"term": {
"Client": "Example"
}
},
"query": {
"term": {
"Site": "SomeSite"
}
},
"query": {
"range": {
"event_timestamp": {
"gte": "now-25m",
"lte": "now"
}
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"lte": 1
}
}
},
"actions": {
"email_administrator": {
"email": {
"to": "me@host.tld",
"subject": "Tasks are not running for {{ctx.payload.client}} on their site {{ctx.payload.site}}",
"body": "Tasks are not running for {{ctx.payload.client}} on their site {{ctx.payload.site}}",
"attach_data": true,
"priority": "high"
}
}
}
}
答案 1 :(得分:0)
你必须改变你的状况,它支持json格式:
searchObj.group(3)请参阅以下链接,
"condition" : {
"script" : "return ctx.payload.hits.total : 1"
}