stefnestor
commented
10 months ago I'll also note for public record ILM Searchable Snapshots coming up on Frozen tier can blip the cluster status:red with no action required by Dev on-calls, e.g. Elasticsearch logs per index hitting phase/action/step: frozen/searchablesnapshots/mount-snapshot (or maybe wait-for-index-color sorry these happen really close together so I can't fully tell):
Cluster health status changed from [YELLOW] to [RED] (reason: [snapshot shard size updated]).
Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[partial-restored-my_index-2023.10.31-000001][0]]]).Which'd resolve relating to the stretch goal in description
we should look at the possibility of "look at last X minutes of data and alert only when we see all of them to be the same status" rather than just relying on the last document status.
Which kinda overlaps with https://github.com/elastic/kibana/issues/145843
VimCommando
As part of "Cluster health" rule allow users to configure if they want to receive alert for Yellow, Red, or Both yellow and red. The default configuration value for the rule will stay as "Both yellow and red".
Combining with our changes in 7.15 to allow multiple rules of the same type users can now configure different actions for Yellow(say email) and Red(say pagerduty), if they want.
Currently the
Cluster healthrule fires when the cluster health status changes from green to yellow OR red. There is no way for the users to configure to get alert only when the cluster state changes to "red".Yellow status can happen based on temporary processing in Elasticsearch. Any action that creates a new index (rollover, shrink, mounting an index, close-and-reopen (through forcemerge w/codec change)) can cause the cluster to go briefly yellow.
Stretch goal Besides adding the extra configuration(for Yellow, Red, or Both) we should look at the possibility of "look at last X minutes of data and alert only when we see all of them to be the same status" rather than just relying on the last document status.