Create an alert when a server is down

Sana · April 21, 2021, 8:47am

Hello Community,

Do you have any idea about how to create an alert opendistro whenever a server is down. My KPIs are sent to Elasticsearch by metricbeat that is based on multiple servers (each document contains @timestamp and host field)?

My idea was to compare the list of hosts that match documents in the last periond of time (10 min for example) with the list of hosts that sent document in the last 24h But I stuck with the creation of monitor extraction query ( just one query request is possible)

Thnak you in advance!

aparo · April 21, 2021, 4:54pm

Hi Sana,
you should use aggregation global and filters to achieve two sections of your aggregations with the tow ranges and then compare the values.

Sana · May 7, 2021, 7:24am

Hello Aparo,
Thanks for the response!
I used filters to extract the two sections but i still have no idea about how to compare the two buckets in the same query and extract the difference. I share with you my query:

GET metricbeat*/_search
{
“size” : 0,
“aggregations”: {
“minute_timestamp”: {
“filter”: {
“range”: {
“@timestamp”: {
“from”: “now-10m”,
“to”: null,
“include_lower”: true,
“include_upper”: true,
“boost”: 1
}
}
},
“aggregations”: {
“server_ok”: {
“terms”: {
“field”: “host.hostname”,
“size”: 1000,
“min_doc_count”: 1,
“shard_min_doc_count”: 0,
“show_term_doc_count_error”: false,
“order”: [
{
“_count”: “desc”
},
{
“_key”: “asc”
}
]
}
}
}
},
“day_timestamp”: {
“filter”: {
“range”: {
“@timestamp”: {
“from”: “now-1d”,
“to”: null,
“include_lower”: true,
“include_upper”: true,
“boost”: 1
}
}
},
“aggregations”: {
“server_ok”: {
“terms”: {
“field”: “host.hostname”,
“size”: 1000,
“min_doc_count”: 1,
“shard_min_doc_count”: 0,
“show_term_doc_count_error”: false,
“order”: [
{
“_count”: “desc”
},
{
“_key”: “asc”
}
]
}
}
}
}
}
}

what i want is to construct a third bucket that contains names of servers which exist in day_timestamp bucket and don’t exist in minute_timestamp bucket

Thank you!

aparo · May 14, 2021, 4:46pm

Hi it’s quite simple with painless you can access to the returned object and directly compare the values.
I need a response for provide you some code.

Regards,
Alberto

Topic		Replies	Views
DSL query for indices not receiving any docs Alerting	6	558	December 3, 2021
What is the best way to display and alert for downtime of endpoints monitored using elastic heartbeat Observability	2	341	May 19, 2023
No data for any monitor query Alerting	1	1689	November 12, 2019
Query not working when using timestamp filter Alerting	3	6008	August 31, 2020
Need multiple filter condition for alerting during create monitor Alerting	1	986	December 2, 2021

Create an alert when a server is down

Related Topics