Search code examples
elasticsearchelasticsearch-dsl

Elasticsearch Query for not receiving data

We are monitoring multiple servers with metricbeat. We want to create alert when metricbeat is stopped in any of the servers. If no data is receiving from that server from last 5 minute it means metricbeat is stopped in that server.

I want to know what can be the query for this alert.

PUT _watcher/watch/eba1f994-1306-4846-b586-5a2c6135b4bc
{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "servers": {
              "terms": {
                "field": "tags",
                "size": 1000,
                "min_doc_count": 0
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "array_compare": {
      "ctx.payload.aggregations.servers.buckets": {
        "path": "doc_count",
        "eq": {
          "value": 0,
          "quantifier": "some"
        }
      }
    }
  },
  "actions": {
    "my-logging-action": {
      "logging": {
        "level": "info",
        "text": "This servers are not sending data: {{#ctx.payload.aggregations.servers.buckets}} {{key}} {{doc_count}},{{/ctx.payload.aggregations.servers.buckets}}"
      }
    }
  },
Solution

  • You can use watcher configuration like below:

    PUT _watcher/watch/metric_check
{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": "your_index_name_or_index_pattern",
        "types": "count",
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "timestamp": {
                      "gte": "now-5m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          },
          "aggs": {
            "servers": {
              "terms": {
                "field": "server_host_or_ip_field_name",
                "size": 100,
                "min_doc_count": 0
              },
              "aggs": {
                "the_filter": {
                  "bucket_selector": {
                    "buckets_path": {
                      "the_doc_count": "_count"
                    },
                    "script": "params.the_doc_count < 1"
                  }
                }
              }
            }
          },
          "size": 1
        }
      }
    }
  },
   "condition": {
      "array_compare": {
        "ctx.payload.aggregations.servers.buckets": {
          "path": "doc_count",
          "eq": {
             "value": 0
          }
        }
      }
    },
  "actions": {
    "send_email": { 
      "email": {
        "to": "<username>@<domainname>", 
        "subject": "Watcher Notification - MetricBeat no data",
        "body": "This servers are not sending data: {{#ctx.payload.aggregations.servers.buckets}} {{key}},{{/ctx.payload.aggregations.servers.buckets}}"
      }
    }
  }
}

    Please Array Comapre Condition and Email Action documentation for more details..

    Note: I have not validated configuration but it should work.