juaneloxx
commented
2 years ago just an example of index missing alert i have
name: "alertname"
description: thedescription
type: flatline
index: the index
threshold: 10
timeframe:
minutes: 5
filter:
query:
query_string:
query: "little query"include: ["field"]
alert:
email
postemail:
"mail@mail.x"smtp_host: "smtphost" smtp_port: port n° smtp_ssl: false smtp_auth_file: "path" from_addr: "mail@mail.x"
http_post_url: "url" http_post_static_payload: orig_query: "qry" alert_name: "Alertname"
(cant get the code format working for some reason) so what it does is that if the entire index shows less than 10 logs in 5 min ill get an alert I want to do something like that but with a specific field not sure if the idea is clear enought, not native english speaker
im trying to figure out how to make an alert that would trigger if a certain field doesnt give any results in a set ammount of time So far ive been able to tell when an index is missing but id like to get an alert when a specific field value is missing. Lets say on the index "AD" theres a field user there are 2 users that have to login daily (pedrito and pepito) the idea is to make the alert trigger if pepito has not logged in in at least 24 hours and get a result like "Between timestamp and timestamp2, there were less than 1 pepito events." Thats from an alert i get when an index shows no activity. Ive also been thinking about making individual alert for each field value, but theres too many individual values, so i'd need to make a huge ammount of alerts and thats not the idea. Not sure if this is asking too much, anyway if i make some progress ill be updating this post.