processes(search).over(tags).rollup('count').last(timeframe) > thresholds
search: A search string for querying the processes. This will return the same search results as the live process page.tags: Comma-separated list of tags to filter on. The.over()portion can be removed if there are no tag filters.timeframe: Choose from['1m', '5m', '10m', '15m', '30m', '1h', '2h', '4h', '24h']threshold: Numeric threshold. These monitors also support thethresholdsoption as defined on the monitor docs
Example:
processes('vim').over('team:sre,user:root').rollup('count').last('1m') > 0
- Besides the new query format you should set the monitor type as
process alert. - "no data" behavior is controlled with the threshold, i.e.
$query < 0.
Ruby/dogapi example:
require 'rubygems'
require 'dogapi'
api_key = '<YOUR_API_KEY>'
app_key = '<YOUR_APP_KEY>'
dog = Dogapi::Client.new(api_key, app_key)
# Create a new monitor
options = {}
tags = ["load", "host", "example"]
dog.monitor("process alert", "processes('ssh').over('env:prod').rollup('count').last('10m') > 0", : name => "Someone is running ssh in env:prod", : message => "@ceo@datadog.com check this out!", : tags => tags, : options => options)Barkfile example:
monitor "Someone is running ssh in env:prod", :type=>"process alert" do
query "processes('ssh').over('env:prod').rollup('count').last('10m') > 0"
message "@ceo@datadog.com check this out!"
tags ["load", "host", "example"]
options do
notify_audit true
end
end