如果平均负载超过特定阈值,我想使用elastalert设置警报
我已经调整了example_rules以发送警报,规则如下所示:
name: Metricbeat CPU Spike Rule
type: metric_aggregation
es_host: elasticsearch
es_port: 9200
index: metricbeat-*
buffer_time:
minutes: 1
metric_agg_key: system.load.1
metric_agg_type: avg
query_key: beat.hostname
doc_type: metricsets
#bucket_interval:
# minutes: 1
#sync_bucket_interval: true
#allow_buffer_time_overlap: true
#use_run_every_query_size: true
#min_threshold: 0.0
max_threshold: 0.02
#filter:
#- term:
# metricset.name: load
# (Required)
# The alert is use when a match is found
alert:
- "slack"
slack:
slack_webhook_url: https://hooks.slack.com/services/XXXXXXXX/XXXXXXXX/XXXXXXXXX
alert_subject: "Issue LARGE_CPU occurred at {0}"
alert_subject_args:
- "@timestamp"
slack_msg_color: warning
当我使用elastalert-test-rule测试规则时,我总是
elastalert_status - {'hits': 0, 'matches': 0, '@timestamp': datetime.datetime(2019, 4, 15, 11, 32, 30, 752902, tzinfo=tzutc()), 'rule_name': 'Metricbeat CPU Spike Rule', 'starttime': datetime.datetime(2019, 4, 14, 11, 32, 25, 116512, tzinfo=tzutc()), 'endtime': datetime.datetime(2019, 4, 15, 11, 32, 25, 116512, tzinfo=tzutc()), 'time_taken': 5.632839918136597}
尽管我将最大阈值设置为0.02,但应该始终将其超过。
类型:频率的积分工作正常,因此与elasticsearch或松弛的积分没有问题