所以我们已经开始实施Sentinl来发送警报。如果超过指定的阈值,我已设法获取错误计数。
我真正挣扎的是过去的最后一天!
有人可以指出我正确的方向!
以下是剧本:
{
"actions": {
"Email Action": {
"throttle_period": "0h0m0s",
"email": {
"to": "juan@company.co.za",
"from": "elk@company.co.za",
"subject": "ELK - ERRORS caused by CreditDecisionServiceAPI.",
"body": "{{payload.hits.total}} ERRORS caused by CreditDecisionServiceAPI. Threshold is 100."
}
},
"Slack Action": {
"throttle_period": "0h0m0s",
"slack": {
"channel": "#alerts",
"message": "{{payload.hits.total}} ERRORS caused by CreditDecisionServiceAPI. Threshold is 100.",
"stateless": false
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"index": [
"*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"appName": "CreditDecisionServiceAPI"
}
},
{
"match": {
"level": "ERROR"
}
},
{
"range": {
"timestamp": {
"from": "now-1d"
}
}
}
]
}
}
}
}
}
},
"condition": {
"script": {
"script": "payload.hits.total > 100"
}
},
"transform": {},
"trigger": {
"schedule": {
"later": "every 15 minutes"
}
},
"disable": true,
"report": false,
"title": "watcher_CreditDecisionServiceAPI_Errors"
}
所以要明确的是,这是查询忽略的部分:
{
"range": {
"timestamp": {
"from": "now-1d"
}
}
}
答案 0 :(得分:2)
您需要更改它并在范围之前添加过滤器 Json标记,如下所示:
"filter": [
{
"range": {
"timestamp": {
"gte": "now-1d"
}
}
}
]
答案 1 :(得分:0)
所以我们最终解决了这个问题!
弹性搜索已多次更改其DSL,因此请注意您需要查看正在使用的版本才能获得正确的解决方案。我们的版本是:6.2.3
以下查询最终有效:
display: flex