我创建了一条规则
name: Metricbeat CPU Spike Rule
type: metric_aggregation
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
minutes: 1
es_host: localhost
es_port: 9200
index: metricbeat-*
buffer_time:
hours: 1
metric_agg_key: system.cpu.user.pct
metric_agg_type: avg
query_key: beat.hostname
doc_type: metricsets
bucket_interval:
minutes: 5
sync_bucket_interval: true
#allow_buffer_time_overlap: true
#use_run_every_query_size: true
min_threshold: 0.5
filter:
- range:
system.cpu.user.pct:
from: 0.05
to: 0.07
# (Required)
# The alert is use when a match is found
alert:
- "email"
# (required, email specific)
# a list of email addresses to send alerts to
email:
- "chiangpohlin@newict.com"
我认为该规则运行正常,因为当我尝试通过运行elastalert-test-rule test.yaml
进行测试时,我得到了这个:
Successfully loaded Metricbeat
Got 155 hits from the last 1 day
Available terms in first hit:
beat.hostname
beat.name
beat.version
@timestamp
type
metricset.rtt
metricset.name
metricset.module
system.cpu.softirq.pct
system.cpu.iowait.pct
system.cpu.system.pct
system.cpu.idle.pct
system.cpu.user.pct
system.cpu.irq.pct
system.cpu.steal.pct
system.cpu.nice.pct
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
INFO:elastalert:Alert for Metricbeat, SenzoServer at 2018-03-20T03:25:00Z:
INFO:elastalert:Metricbeat
Threshold violation, avg:system.cpu.user.pct 0.053 (min: 0.5 max : None)
@timestamp: 2018-03-20T03:25:00Z
beat.hostname: SenzoServer
num_hits: 155
num_matches: 16
system.cpu.user.pct_avg: 0.053
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
Would have written the following documents to writeback index (default is elastalert_status):
silence - {'rule_name': u'Metricbeat.SenzoServer', '@timestamp': datetime.datetime(2018, 3, 20, 4, 38, 38, 277518, tzinfo=tzutc()), 'exponent': 0, 'until': datetime.datetime(2018, 3, 20, 4, 39, 38, 277508, tzinfo=tzutc())}
elastalert_status - {'hits': 155, 'matches': 16, '@timestamp': datetime.datetime(2018, 3, 20, 4, 38, 38, 279438, tzinfo=tzutc()), 'rule_name': 'Metricbeat', 'starttime': datetime.datetime(2018, 3, 19, 4, 38, 38, 173884, tzinfo=tzutc()), 'endtime': datetime.datetime(2018, 3, 20, 4, 38, 38, 173884, tzinfo=tzutc()), 'time_taken': 0.09930419921875}
然后我尝试使用python -m elastalert.elastalert --verbose --rule test.yaml
运行它,我得到了这个:
Traceback (most recent call last):
File "/usr/lib/python2.7/runpy.py", line 162, in _run_module_as_main
"__main__", fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/elastalert.py", line 1856, in <module>
sys.exit(main(sys.argv[1:]))
File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/elastalert.py", line 1850, in main
client = ElastAlerter(args)
File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/elastalert.py", line 130, in __init__
self.conf = load_rules(self.args)
File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/config.py", line 433, in load_rules
conf = yaml_loader(filename)
File "/usr/local/lib/python2.7/dist-packages/staticconf/loader.py", line 167, in yaml_loader
with open(filename) as fh:
IOError: [Errno 2] No such file or directory: 'config.yaml'
我的弹性装置安装有问题吗?我尝试安装requirements.txt已经无法正常工作。
答案 0 :(得分:0)
答案 1 :(得分:0)
elastalert需要一个配置文件来与ES连接并加载其他属性。 elastalert-Test带有其自己的配置文件(config.yaml.example)
要解决此问题,请复制config.yaml.example并将其重命名为config.yaml。在config.yaml中进行必要的更改,事情就会解决。
谢谢