Skip to content

Instantly share code, notes, and snippets.

@inqueue

inqueue/topbeat_filesystem_watch_example.json

Last active March 30, 2016 15:10
Show Gist options
  • Save inqueue/7568c5f371518d92c5ea to your computer and use it in GitHub Desktop.
Save inqueue/7568c5f371518d92c5ea to your computer and use it in GitHub Desktop.
Download ZIP
Watch Filesystem Data from Topbeat
Raw
topbeat_filesystem_watch_example.json
{
"metadata": {
"used_percent": 0.9,
"email_to": "email@domain.tld"
},
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"indices": [ "topbeat-*"],
"types": [ "filesystem" ],
"body": {
"aggs": {
"host": {
"terms": {
"field": "beat.hostname",
"order": { "disk_usage": "desc"}
},
"aggs": {
"disk_usage": {
"max": { "field": "fs.used_p"}
}
}
}
},
"query": {
"bool": {
"filter": [
{ "range": { "@timestamp": { "gte": "now-5m", "lte": "now"}}},
{ "range": { "fs.used_p": { "gte": "{{ctx.metadata.used_percent}}"}}}
]
}
}
}
}
}
},
"condition": {
"array_compare": {
"ctx.payload.aggregations.host.buckets": {
"path": "doc_count",
"gte": { "value": "5", "quantifier": "some"}
}
}
},
"actions": {
"email_alert": {
"throttle_period": "15m",
"transform": {
"script": "threshold_p = ctx.metadata.used_percent*100; def hosts_list = ctx.payload.aggregations.host.buckets.collect { [ key: it.key, disk_usage: String.format('%.0f', it.disk_usage.value*100) ] }; return [ threshold: String.format('%.0f', threshold_p), hosts: hosts_list ];"
},
"email": {
"to": "{{ctx.metadata.email_to}}",
"subject": "Watcher {{ctx.watch_id}} at {{ctx.trigger.triggered_time}}: Filesystem Usage Alert for some hosts",
"body": "Some hosts are over {{ctx.payload.threshold}}% utilized.\n\n{{#ctx.payload.hosts}}{{disk_usage}}%\t{{key}}\n{{/ctx.payload.hosts}}",
"priority": "high",
"attach_data": true,
"attach_data": {
"format": "yaml"
}
}
}
}
}
Raw
topbeat_filesystem_watch_exmaple_with_date_math.json
{
"metadata": {
"used_percent": 0.9,
"watch_period": "5m",
"email_to": "jbryan@elastic.co"
},
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"indices": [ "<topbeat-{now/d}>"],
"types": [ "filesystem" ],
"body": {
"aggs": {
"host": {
"terms": {
"field": "beat.hostname",
"order": { "disk_usage": "desc"}
},
"aggs": {
"disk_usage": {
"max": { "field": "fs.used_p"}
}
}
}
},
"query": {
"bool": {
"filter": [
{ "range": { "@timestamp": { "gte": "now-{{ctx.metadata.watch_period}}", "lte": "now"}}},
{ "range": { "fs.used_p": { "gte": "{{ctx.metadata.used_percent}}"}}}
]
}
}
}
}
}
},
"condition": {
"array_compare": {
"ctx.payload.aggregations.host.buckets": {
"path": "doc_count",
"gte": { "value": "5", "quantifier": "some"}
}
}
},
"actions": {
"email_alert": {
"throttle_period": "15m",
"transform": {
"script": "threshold_p = ctx.metadata.used_percent*100; def hosts_list = ctx.payload.aggregations.host.buckets.collect { [ key: it.key, disk_usage: String.format('%.0f', it.disk_usage.value*100) ] }; return [ threshold: String.format('%.0f', threshold_p), hosts: hosts_list ];"
},
"email": {
"to": "{{ctx.metadata.email_to}}",
"subject": "Watcher {{ctx.watch_id}} at {{ctx.trigger.triggered_time}}: Filesystem Usage Alert for some hosts",
"body": "Some hosts are over {{ctx.payload.threshold}}% utilized.\n\n{{#ctx.payload.hosts}}{{disk_usage}}%\t{{key}}\n{{/ctx.payload.hosts}}",
"priority": "high",
"attach_data": true,
"attach_data": {
"format": "yaml"
}
}
}
}
}
@inqueue
Copy link
Author

inqueue commented Mar 29, 2016

This Watch triggers every 5m to look for high file system usage as reported by Topbeat for the latest 5 minutes of data. metadata.used_percent (default 90%) sets the threshold that triggers the alert. metadata.email_to is the email recipient. It will be throttled if triggered more than once within a 15 minute period.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment