OpenSearch/README.md

2.3 KiB

alerting

This is the elasticsearch alerting plugin repo.

Creating an alert :

PUT _alert/testalert
{
  "request" : {
    "indices" : [
      "logstash*"
    ],
    "body" : {
    "query" : {
      "filtered": {
        "query": {
          "match": {
            "response": 404
          }
        },
        "filter": {
          "range": {
          "@timestamp" : {
            "from": "{{SCHEDULED_FIRE_TIME}}||-5m",
            "to": "{{SCHEDULED_FIRE_TIME}}"  
          }
          }
        }
      } 
      }
    }
    }
  ,
  "trigger" : { "script" : {
    "script" : "hits.total > 1",
    "script_lang" : "groovy"
  } },
  "actions" : 
    {
      "email" : {
        "addresses" : ["brian.murphy@elasticsearch.com"]
      }
    },
    
    "schedule" : "0 0/1 * * * ?",
    "enable" : true
}

Expected response :

{
   "_index": ".alerts",
   "_type": "alert",
   "_id": "testalert",
   "_version": 1,
   "created": true
}

Viewing an existing alert :

{
   "found": true,
   "_index": ".alerts",
   "_type": "alert",
   "_id": "testalert",
   "_version": 1,
   "alert": {
      "trigger": {
         "script": {
            "script_lang": "groovy",
            "script": "hits.total > 1"
         }
      },
      "schedule": "0 0/1 * * * ?",
      "request": {
         "body": {
            "query": {
               "filtered": {
                  "query": {
                     "match": {
                        "response": 404
                     }
                  },
                  "filter": {
                     "range": {
                        "@timestamp": {
                           "to": "{{SCHEDULED_FIRE_TIME}}",
                           "from": "{{SCHEDULED_FIRE_TIME}}||-5m"
                        }
                     }
                  }
               }
            }
         },
         "indices": [
            "logstash*"
         ]
      },
      "enable": true,
      "actions": {
         "email": {
            "addresses": [
               "brian.murphy@elasticsearch.com"
            ]
         }
      }
   }
}

Deleting an alert :

DELETE _alert/testalert

Expected output :

{
   "found": true,
   "_index": ".alerts",
   "_type": "alert",
   "_id": "testalert",
   "_version": 4
}