Skip to content

Instantly share code, notes, and snippets.

@daniellavoie

daniellavoie/elasticsearch-alterting.md

Created November 17, 2016 05:07
Show Gist options
  • Save daniellavoie/2ac13fdc4ff01c31727b0d0cac59e8ce to your computer and use it in GitHub Desktop.
Save daniellavoie/2ac13fdc4ff01c31727b0d0cac59e8ce to your computer and use it in GitHub Desktop.
Download ZIP
Alerting for Elasticsearch
Raw
elasticsearch-alterting.md

Reference Documentation

https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html

Composition of a Watcher

  • Schedule
  • Query
  • Condition
  • Actions

Check Watcher Stats

GET _xpack/watcher/stats

Get latests Watchers executed

GET .watcher-history*/_search?pretty
{
  "sort" : [
    { "result.execution_time" : "desc" }
  ]
}

Email Configuration (elasticsearch.yml)

xpack.notification.email.account:
  work:
    profile: gmail
    email_defaults:
      from: alert@cspinformatique.com
    smtp:
      auth: true
      starttls.enable: true
      host: smtpout.secureserver.net
      port: 587
      user: <username> 
      password: <password>

Alert on Cluster Health

PUT _xpack/watcher/watch/cluster_health_watch
{
  "trigger" : {
    "schedule" : { "interval" : "10s" }
  },
  "input" : {
    "http" : {
      "request" : {
       "host" : "localhost",
       "port" : 9200,
       "path" : "/_cluster/health"
      }
    }
  },
  "condition" : {
    "compare" : {
      "ctx.payload.status" : { "eq" : "red" }
    }
  },
  "actions" : {
    "send_email" : {
      "email" : {
        "to" : "<username>@<domainname>",
        "subject" : "Cluster Status Warning",
        "body" : "Cluster status is RED"
      }
    }
  }
}

Delete the Watch

DELETE _xpack/watcher/watch/cluster_health_watch

Action Throtling

https://www.elastic.co/guide/en/x-pack/current/actions.html#actions-ack-throttle
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment