当我们调整某些值以调整规则的敏感性时,将这些值包括在规则消息中会很有帮助。
例如,在我们的metric_aggregation规则中,我们将玩buffer_time和realert次。我们可以将这些值放在规则消息中吗?
采样规则-注意文本中的硬编码值:
name: CPU Spike
type: metric_aggregation
index: metricbeat-*
buffer_time:
seconds: 60
realert:
minutes: 15
metric_agg_key: windows.perfmon.processor.time.total.pct
metric_agg_type: avg
query_key: beat.hostname.keyword
timestamp_field: "@timestamp"
max_threshold: 80.0
filter:
- exists:
field: windows.perfmon.processor.time.total.pct
alert:
- "email"
use_local_time: true
email:
- "someone@example.com"
from_addr: "Monitor <monitoring.no-reply@example.com>"
email_format: "html"
alert_subject: "ALERT: CPU Spike {0} @ {1}"
alert_subject_args:
- beat.hostname.keyword
- "@timestamp"
alert_text: |
<h3>Alert!</h3>
<p>Timestamp: {0}.</p>
<p>Server: {1}</p>
<p>The <b>system.cpu.system.pct_avg</b> was {2:.2f}% over at least 60 sec.</p>
<p>This alert will not repeat for 15 min even if the situation is still happening.</p>
<pre>
alert_text_args:
- "@timestamp"
- beat.hostname.keyword
- metric_windows.perfmon.processor.time.total.pct_avg