andromedarabbit/elasticsearch-x-pack-alerting-example.json

## elasticsearch-x-pack-alerting-example.json
PUT _xpack/watcher/watch/outofmemoryerror
{
  "trigger" : {
    "schedule" : { "cron" : "0 0/4 * * * ?" }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [
          "</logstash><logstash -{now-1h/d}t{now-1h{HH}}>",
          "</logstash><logstash -{now/d}t{now{HH}}>"
        ],
        "body" : {
          "query" : {
            "bool" : {
              "must" : {
                "multi_match": {
                   "query": "OutOfMemoryError",
                   "fields": ["message", "log"]
                }
              },
              "filter" : {
                "range": {
                  "@timestamp": {
                    "from": "{{ctx.trigger.scheduled_time}}||-5m",
                    "to": "{{ctx.trigger.triggered_time}}"
                  }
                }
              }
            }
          },
            "sort" : [
                { "@timestamp" : {"order" : "desc"}},
                "_score"
            ]
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {

    "notify-slack" : {
      "throttle_period" : "5m",
      "slack" : {
        "message" : {
          "to" : [ "#ops", "@dev" ],
          "text" : "로그 모니터링 알람",
          "attachments" : [
            {
              "title" : "OutOfMemoryError",
              "text" : "지난 5분 동안 해당 오류가 {{ctx.payload.hits.total}}회 발생했습니다. 가장 최근의 오류는 다음과 같습니다.",
              "color" : "warning"
            },
            {
              "fields": [
                {
                    "title": "환경",
                    "value": "Prod",
                    "short": true
                },
                              {
                                  "title": "발생시각",
                                  "value": "{{ctx.payload.hits.hits.0._source.@timestamp}}",
                                  "short": true
                              },
                              {
                                  "title": "메시지",
                                  "value": "{{ctx.payload.hits.hits.0._source.message}}",
                                  "short": false
                              },
                              {
                                  "title": "확인명령어",
                                  "value": "`GET /{{ctx.payload.hits.hits.0._index}}/{{ctx.payload.hits.hits.0._type}}/{{ctx.payload.hits.hits.0._id}}`",
                                  "short": false
                              }
                          ],
              "color" : "warning"
            }
          ]
        }
      }
    }
  }
}
	PUT _xpack/watcher/watch/outofmemoryerror
	{
	"trigger" : {
	"schedule" : { "cron" : "0 0/4 * * * ?" }
	},
	"input" : {
	"search" : {
	"request" : {
	"indices" : [
	"</logstash><logstash -{now-1h/d}t{now-1h{HH}}>",
	"</logstash><logstash -{now/d}t{now{HH}}>"
	],
	"body" : {
	"query" : {
	"bool" : {
	"must" : {
	"multi_match": {
	"query": "OutOfMemoryError",
	"fields": ["message", "log"]
	}
	},
	"filter" : {
	"range": {
	"@timestamp": {
	"from": "{{ctx.trigger.scheduled_time}}\|\|-5m",
	"to": "{{ctx.trigger.triggered_time}}"
	}
	}
	}
	}
	},
	"sort" : [
	{ "@timestamp" : {"order" : "desc"}},
	"_score"
	]
	}
	}
	}
	},
	"condition" : {
	"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
	},
	"actions" : {

	"notify-slack" : {
	"throttle_period" : "5m",
	"slack" : {
	"message" : {
	"to" : [ "#ops", "@dev" ],
	"text" : "로그 모니터링 알람",
	"attachments" : [
	{
	"title" : "OutOfMemoryError",
	"text" : "지난 5분 동안 해당 오류가 {{ctx.payload.hits.total}}회 발생했습니다. 가장 최근의 오류는 다음과 같습니다.",
	"color" : "warning"
	},
	{
	"fields": [
	{
	"title": "환경",
	"value": "Prod",
	"short": true
	},
	{
	"title": "발생시각",
	"value": "{{ctx.payload.hits.hits.0._source.@timestamp}}",
	"short": true
	},
	{
	"title": "메시지",
	"value": "{{ctx.payload.hits.hits.0._source.message}}",
	"short": false
	},
	{
	"title": "확인명령어",
	"value": "`GET /{{ctx.payload.hits.hits.0._index}}/{{ctx.payload.hits.hits.0._type}}/{{ctx.payload.hits.hits.0._id}}`",
	"short": false
	}
	],
	"color" : "warning"
	}
	]
	}
	}
	}
	}
	}