自定义elastalert插件收到的用于Elasticsearch的警报中的信息
我已经用我的elasticsearch主机配置了elastalert实例。我还创建了一个示例规则,该规则将检查日志级别并在日志中匹配该模式时发出警报。
一切正常,我可以在我的闲置频道上正确收到警报。
。elastalert插件正在发送与我正在寻找的模式相关的所有属性;但我对所有信息都不感兴趣。我只关心某些特定属性。
# Alert when the rate of events exceeds a threshold# (Optional)
# Elasticsearch host
es_host:
# (Optional)
# Elasticsearch port
es_port:
# (OptionaL) Connect with SSL to elasticsearch
#use_ssl: True
# (Optional) basic-auth username and password for elasticsearch
#es_username: someusername
#es_password: somepassword
# (Required)
# Rule name, must be unique
name: DB2 test Rule
# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency
# (Required)
# Index to search, wildcard supported
index: logstash-* # logstash-2016.04.05 #logstash-YYYY.MM.DD # logstash-*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
hours: 12
# (Required)
# A list of elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
query_string:
query: "type: db2 AND logLevel: Warning"
# (Required)
# The alert is use when a match is found
alert:
- "slack"
slack:
slack_webhook_url: "XYZ"
DB2 test RuleDB2 test Rule
At least 1 events occurred between 2016-04-29 07:51 UTC and 2016-04-29 19:51 UTC
@timestamp: 2016-04-29T19:51:45.940Z
@version: 1
_id:
_index: logstash-2016.04.29
_type: db2
apphdl:
appid:
authid:
day: 29
db: NEO
eduid:
eduname:
function:
host:
hostname:
hour: 14
id:
instance:
logLevel: Warning
logMessage:
LOADID:
DATA #2 :
Completed
message: LEVEL: Warning
和ETC ETC …
(有关前时间表,日志级别和更多其他信息。)
有没有办法做到这一点?非常感谢您的帮助或指导。
回答:
根据ElastAlert文档,您可以使用将警报限制为仅包含文档中的某些字段include。
您的情况是:
include: ["@timestamp", "logLevel", "message"]以上是 自定义elastalert插件收到的用于Elasticsearch的警报中的信息 的全部内容, 来源链接: utcz.com/qa/404711.html
