Qmando
commented
5 years ago Add
query_key: beat.hostnameThis means you get a separate alert for each value of hostname. So if srv01 is still there but srv02 disappears, you still ge tan alert.
Open badsector3 opened 5 years ago
Qmando
commented
5 years ago Add
query_key: beat.hostnameThis means you get a separate alert for each value of hostname. So if srv01 is still there but srv02 disappears, you still ge tan alert.
patrykk2252
commented
4 years ago If I add the query_key I dont get any alerts. Without the query key I get following alert:
Full alert:
# Elasticsearch host
es_host: x.x.x.x
# (Optional)
# Elasticsearch port
es_port: 9200
# (Required)
# Rule name, must be unique
name: Metricbeat and possible server down!
# (Required)
# Type of alert.
type: flatline
threshold: 1
timeframe:
seconds: 60
# (Required)
# Index to search, wildcard supported
index: metricbeat-*
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- bool:
filter:
- term:
beat.hostname: "srv01"
- term:
beat.hostname: "srv02"
# Alert-text
alert_subject: "Metricbeat down: {0}"
alert_subject_args:
- beat.hostname
# Send a maximum of 1 alert every 5 min
realert:
minutes: 5
# (Required)
# The alert is use when a match is found
alert:
- "email"
# Include these fields in alert
include: ["beat.hostname"]
# (required, email specific)
# a list of email addresses to send alerts to
email:
- "support@example.com"
Hi.
Is there a way to include filter term value in alert? I use flatline rule.
The idea is to get the value back for key which is true. I wish to know which server is down if there are multiple term. I can create multiple alerts, one per server to accomplish the same but just wonder if there is other way of doing it.
Thanks,