jocooler/sites_down.yaml

## sites_down.yaml
es_host: your_host
es_port: your_port
name: Sites Down
description: Site pings returned down more than once in 15 minutes.
type: frequency
index: heartbeat-*
num_events: 2
timeframe:
  minutes: 15
filter:
- query:
    query_string:
      query: "(monitor.status: down) AND !(monitor.name: http)"
realert:
  hours: 1
exponential_realert:
  hours: 8

alert:
- "email"
email:
- "donald.duck@disney.com"
- "mickey.mouse@disney.com"
alert_subject: "ElastAlert - {2} - {0} was down at {1}"
alert_subject_args:
  - monitor.name
  - "@timestamp"
  - name
from_addr: "elastalert@disney.com"
smtp_host: "email.disney.com"
smtp_port: 25

email_format: html

attach_related: true

use_kibana4_dashboard: "http://kibana_server/app/kibana#/dashboard/f3e771c0-eb19-11e6-be20-559646f8b9ba"
alert_text_type: exclude_fields
alert_text: >-
  <h3>ElastAlert Notification: {0}</h3>
  <h4>{1}</h4>
  <p>A total of {2} down sites were detected. For more information, consult the <a href='{6}'>Dashboard</a>.</p>
  <h4>Trigger events:</h4>
  <table style="border-collapse:collapse">
  <thead><tr><th style="border:1px solid black; padding:6px;">Monitor</th><th style="border:1px solid black; padding:6px;">Error Type</th></tr></thead>
  <tbody>
  <tr><td style="border:1px solid black; padding:6px;">{3[0][monitor][name]}</td><td style="border:1px solid black; padding:6px;">{3[0][error][type]}</td></tr>
  <tr><td style="border:1px solid black; padding:6px;">{4}</td><td style="border:1px solid black; padding:6px;">{5}</td></tr>
  </tbody>
  </table>
  <br />
  <h4>Technical details:</h4>
  <pre>

  {3[0][error][message]}


  {7}

  </pre>
alert_text_args:
  - name
  - description
  - num_events
  - related_events # related events contains the earlier event, so it's first.
  - monitor.name
  - error.type
  - kibana_link
  - error.message
	es_host: your_host
	es_port: your_port
	name: Sites Down
	description: Site pings returned down more than once in 15 minutes.
	type: frequency
	index: heartbeat-*
	num_events: 2
	timeframe:
	minutes: 15
	filter:
	- query:
	query_string:
	query: "(monitor.status: down) AND !(monitor.name: http)"
	realert:
	hours: 1
	exponential_realert:
	hours: 8

	alert:
	- "email"
	email:
	- "donald.duck@disney.com"
	- "mickey.mouse@disney.com"
	alert_subject: "ElastAlert - {2} - {0} was down at {1}"
	alert_subject_args:
	- monitor.name
	- "@timestamp"
	- name
	from_addr: "elastalert@disney.com"
	smtp_host: "email.disney.com"
	smtp_port: 25

	email_format: html

	attach_related: true

	use_kibana4_dashboard: "http://kibana_server/app/kibana#/dashboard/f3e771c0-eb19-11e6-be20-559646f8b9ba"
	alert_text_type: exclude_fields
	alert_text: >-
	<h3>ElastAlert Notification: {0}</h3>
	<h4>{1}</h4>
	<p>A total of {2} down sites were detected. For more information, consult the <a href='{6}'>Dashboard</a>.</p>
	<h4>Trigger events:</h4>
	<table style="border-collapse:collapse">
	<thead><tr><th style="border:1px solid black; padding:6px;">Monitor</th><th style="border:1px solid black; padding:6px;">Error Type</th></tr></thead>
	<tbody>
	<tr><td style="border:1px solid black; padding:6px;">{3[0][monitor][name]}</td><td style="border:1px solid black; padding:6px;">{3[0][error][type]}</td></tr>
	<tr><td style="border:1px solid black; padding:6px;">{4}</td><td style="border:1px solid black; padding:6px;">{5}</td></tr>
	</tbody>
	</table>
	<br />
	<h4>Technical details:</h4>
	<pre>

	{3[0][error][message]}


	{7}

	</pre>
	alert_text_args:
	- name
	- description
	- num_events
	- related_events # related events contains the earlier event, so it's first.
	- monitor.name
	- error.type
	- kibana_link
	- error.message