iSharkFly-Docs
/
opensearch-docs-cn
mirror of https://github.com/iSharkFly-Docs/opensearch-docs-cn
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

additional updates for Alerting API 

Signed-off-by: alicejw <alicejw@amazon.com>
This commit is contained in:
alicejw 2022-05-25 12:36:38 -07:00
parent d69f01e73d
commit 68bcb49213
2 changed files with 24 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
_monitoring-plugins/alerting/api.md
View File

@ -7,7 +7,7 @@ nav_order: 15
# Alerting API
Use the alerting API to programmatically manage monitors and alerts.
Use the Alerting API to programmatically create, update and manage monitors and alerts.
---
@ -18,11 +18,11 @@ Use the alerting API to programmatically manage monitors and alerts.
---
## Create query-level monitor
## Create a per query monitor
Introduced 1.0
{: .label .label-purple }
Query-level monitors run the query and check whether the results should trigger any alerts. As such, query-level monitors can only trigger one alert at a time. For more information about query-level monitors versus bucket-level monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors).
Per query monitors run the query and check whether the results should trigger any alerts. As such, per query monitors can only trigger one alert at a time. For more information about per query monitors and per bucket monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors).
#### Request
@ -250,15 +250,15 @@ For a full list of timezone names, refer to [Wikipedia](https://en.wikipedia.org
---
## Create bucket-level monitor
## Create a per bucket monitor
Bucket-level monitors categorize results into buckets separated by fields. The monitor then runs your script with each bucket's results and evaluates whether to trigger an alert. For more information about bucket-level monitors versus query-level monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors).
Per bucket monitors categorize results into buckets separated by fields. The monitor then runs your script with each bucket's results and evaluates whether to trigger an alert. For more information about per bucket and per query monitors, see [Create monitors]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#create-monitors).
```json
POST _plugins/_alerting/monitors
{
"type": "monitor",
"name": "test-bucket-level-monitor",
"name": "Demo per bucket monitor",
"monitor_type": "bucket_level_monitor",
"enabled": true,
"schedule": {
@ -379,7 +379,7 @@ POST _plugins/_alerting/monitors
"monitor" : {
"type" : "monitor",
"schema_version" : 4,
"name" : "test-bucket-level-monitor",
"name" : "Demo a per bucket monitor",
"monitor_type" : "bucket_level_monitor",
"user" : {
"name" : "",
@ -508,17 +508,15 @@ POST _plugins/_alerting/monitors
}
}
```
## Create a document-level monitor
## Create a per document monitor
Introduced 2.0
{: .label .label-purple }
You can create a document-level monitor programmatically that functions the same as a per document monitor in OpenSearch Dashboards. The document-level monitor runs a query that checks whether or not the results should trigger an alert notification based on individual documents within an index.
You can create a per document monitor programmatically that functions the same as a per document monitor in OpenSearch Dashboards. The per document monitor allows you to generate an alert on individual documents in an index. It runs a query that checks whether or not the results should trigger an alert notification based on individual documents within an index. This is the only monitor that allows document-level alerting.
You can combine multiple queries in a per document monitor by adding a tag to each query and then setting the trigger condition to that tag.
For more information about document-level monitors, see [Monitor types]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#monitor-types).
OpenSearch provides a Findings index: `.opensearch-alerting-finding*` that contains findings data for all per document monitor queries.
For more information about per document monitors, see [Monitor types]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/monitors/#monitor-types).
### Search for monitor findings
@ -651,7 +649,7 @@ POST _plugins/_alerting/monitors
### Limitations
If you run a document-level query while the index is getting reindexed, the results will not return the reindexed results. You would need to run the query again to get the updates.
If you run a per document query while the index is getting reindexed, the results will not return the reindexed results. You would need to run the query again to get the updates.
{: .tip}
## Update monitor

22
_monitoring-plugins/alerting/monitors.md
View File

@ -22,21 +22,24 @@ The OpenSearch Dashboard Alerting plugin provides four monitor types:
* **per cluster metrics** This monitor runs API requests on the cluster to monitor its health.
* **per document** This monitor runs a query (or multiple queries combined by a tag) that returns individual documents that match the alert notification trigger condition.
### More about per document monitors
## Per document monitors
Introduced 2.0
{: .label .label-purple }
The per query and per bucket monitors can only take a single query with one trigger condition. Per document monitors allow you to combine multiple query trigger conditions by adding a tag to the queries. Then you can add the tag as a single trigger condition instead of specifying a single query. The Alerting plugin processes the trigger conditions from all queries as a logical OR operation, so if any of the query conditions are met, it generates the alert notification.
The Alerting plugin also creates a list of document findings data that contains metadata about which document matches each query. Security analytics can use the document findings data to keep track of and analyze the query data separately from the alert processes.
The following metadata is provided for each document finding entry:
* **Document** The document ID and index name. For example: Re5akdirhj3fl | test-logs-index.
* **Query** The query name that matched the document.
* **Time found** The timestamp that indicates when the document was found during the runtime.
The Alerting plugin also creates a list of document findings that contains metadata about which document matches each query. Security analytics can use the document findings data to keep track of and analyze the query data separately from the alert processes.
### Document findings
When a per document monitor executes a query that matches a document in an index, a finding is created.
When a per document monitor executes a query that matches a document in an index, a finding is created. OpenSearch provides a Findings index: `.opensearch-alerting-finding*` that contains findings data for all per document monitor queries. You can search the findings index with the Alerting API. To learn more, see [Search for monitor findings]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/api/#search-for-monitor-findings).
The following metadata is provided for each document finding entry:
* **Document** The document ID and index name. For example: `Re5akdirhj3fl | test-logs-index`.
* **Query** The query name that matched the document.
* **Time found** The timestamp that indicates when the document was found during the runtime.
It is possible to configure an alert notification for each finding, however we don't recommend this unless rules are well defined to prevent a huge volume of findings in a high ingestion cluster.
@ -51,6 +54,7 @@ Tag | A label that can be applied to multiple queries to combine them with the l
Alert | An event associated with a trigger. When an alert is created, the trigger performs *actions*, which can include sending a notification.
Action | The information that you want the monitor to send out after being triggered. Actions have a *destination*, a message subject, and a message body.
Destination | A reusable location for an action. Supported locations are Amazon Chime, Email, Slack, or custom webhook.
Finding | An entry for an individual document found by a per document monitor query that contains the Document ID, index name, and timestamp. Findings are stored in the Findings index: `.opensearch-alerting-finding*`.
---