honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-03-09 14:34:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
134 Commits 7 Branches 6 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Brian Murphy 2954f5f9c2 Fix alert history entry parsing 
This commit fixes the alert history parsing that was causing the tests to fail.
It now just warns on null fields and sets the search request on alert history entry creation.

Original commit: elastic/x-pack-elasticsearch@09d2b09b79
2014-11-19 11:57:14 +00:00
dev-tools
Add missing license check files.
2014-11-07 10:57:59 +00:00
src
Fix alert history entry parsing
2014-11-19 11:57:14 +00:00
LICENSE.txt
Initial X-Pack commit
2018-04-20 14:16:58 -07:00
pom.xml
TESTS : Add stats test and bootstrap test
2014-11-18 11:17:00 +00:00
README.md
Core: Change the rest api url structure as if all operations are targetted for the .alerts index.
2014-11-17 12:09:22 +01:00
tests.policy
Build: Configure randomizedtesting properly
2014-11-07 14:24:56 +01:00

README.md

alerting

This is the elasticsearch alerting plugin repo.

Creating an alert :

PUT /.alerts/alert/testalert
{
  "request" : {
    "indices" : [
      "logstash*"
    ],
    "body" : {
    "query" : {
      "filtered": {
        "query": {
          "match": {
            "response": 404
          }
        },
        "filter": {
          "range": {
          "@timestamp" : {
            "from": "{{SCHEDULED_FIRE_TIME}}||-5m",
            "to": "{{SCHEDULED_FIRE_TIME}}"  
          }
          }
        }
      } 
      }
    }
    }
  ,
  "trigger" : { "script" : {
    "script" : "hits.total > 1",
    "script_lang" : "groovy"
  } },
  "actions" : 
    {
      "email" : {
        "addresses" : ["brian.murphy@elasticsearch.com"]
      }
    },
    
    "schedule" : "0 0/1 * * * ?",
    "enable" : true
}

Expected response :

{
   "_index": ".alerts",
   "_type": "alert",
   "_id": "testalert",
   "_version": 1,
   "created": true
}

Viewing an existing alert :

GET /.alerts/alert/testalert

{
   "found": true,
   "_index": ".alerts",
   "_type": "alert",
   "_id": "testalert",
   "_version": 1,
   "alert": {
      "trigger": {
         "script": {
            "script_lang": "groovy",
            "script": "hits.total > 1"
         }
      },
      "schedule": "0 0/1 * * * ?",
      "request": {
         "body": {
            "query": {
               "filtered": {
                  "query": {
                     "match": {
                        "response": 404
                     }
                  },
                  "filter": {
                     "range": {
                        "@timestamp": {
                           "to": "{{SCHEDULED_FIRE_TIME}}",
                           "from": "{{SCHEDULED_FIRE_TIME}}||-5m"
                        }
                     }
                  }
               }
            }
         },
         "indices": [
            "logstash*"
         ]
      },
      "enable": true,
      "actions": {
         "email": {
            "addresses": [
               "brian.murphy@elasticsearch.com"
            ]
         }
      }
   }
}

Deleting an alert :

DELETE /.alerts/alert/testalert

Expected output :

{
   "found": true,
   "_index": ".alerts",
   "_type": "alert",
   "_id": "testalert",
   "_version": 4
}

Creating a alert that looks uses a script to dig into an aggregation :

PUT _alert/404alert
{
  "request" : {
    "indices" : [
      "logstash*"
    ],
    "body" : {
     "query" : {
      "filtered": {
        "query": {
          "match_all": {}
        },
        "filter": {
          "range": {
          "@timestamp" : {
            "from": "{{SCHEDULED_FIRE_TIME}}||-5m",
            "to": "{{SCHEDULED_FIRE_TIME}}"  
            }
          }
        }
      } 
      },
      "aggs": {
        "response": {
          "terms": {
            "field": "response",
            "size": 100
          }
        }
      }, "size":0
    }
  },
  "trigger" : { 
    "script" : {
      "script" : "ok_count = 0.0;error_count = 0.0;for(bucket in aggregations.response.buckets) {if (bucket.key < 400){ok_count += bucket.doc_count;} else {error_count += bucket.doc_count;}}; return error_count/(ok_count+1) >= 0.1;",
    " script_lang" : "groovy"
  } },
  "actions" : 
    {
      "email" : {
        "addresses" : ["brian.murphy@elasticsearch.com"]
      }
    },
    "schedule" : "0 0/1 * * * ?",
    "enable" : true
}

This alert will trigger if the responses field has a value greater or equal to 400 for more than 10% of all values.

Description
🔎 Open source distributed and RESTful search engine.
Readme 546 MiB
Languages
Java 99.5%
Groovy 0.4%