随着事件的增加,是否可以使用ElastAlert报告特定事件的总数?
我尝试了以下规则(由于解析问题而失败),但是目前尚不清楚如何最好地监控和报告给定查询在一段时间内的匹配次数,而不是报告文档内容从查询中回来。
name: Cumulative events
type: change
index: myindex*
compare_key: num_hits
timeframe:
minutes: 5
filter:
- query:
bool:
must:
- match:
data.attributes.source:
query: APP_NAME
- range:
eventTimestamp:
gte: now/d
lte: now
- regexp:
data.attributes.message: ".*complete.*"
alert:
- "slack"
alert_subject: "Cumulative event report"
alert_text_type: alert_text_only
alert_text: "{0} events so far today"
alert_text_args: [num_hits]
slack_webhook_url: https://hooks.slack.com/services/SNIP/SNIP/SNIP
slack_proxy: someserver:8080