Hi,
I'd like to have alerts if indices don't receive any new documents for a few minutes, therefore I have a rule like this:
Now if I add another index to the rule, they get summarized, so as long as one index receives data, an error in the other one wouldn't be detected.
Is there another way to make the rule work for each index independently without having to create a separate rule for each index?
Have you checked the new ES|QL language?
You can create a rule from something like this:
# Add some sample data
PUT discuss-352807-index-1
{
"mappings": {
"properties": {
"@timestamp": { "type": "date"},
"metric": { "type": "integer"}
}
}
}
PUT discuss-352807-index-2
{
"mappings": {
"properties": {
"@timestamp": { "type": "date"},
"metric": { "type": "integer"}
}
}
}
PUT discuss-352807-index-3
{
"mappings": {
"properties": {
"@timestamp": { "type": "date"},
"metric": { "type": "integer"}
}
}
}
POST discuss-352807-index-1/_bulk
{ "index": {}}
{"@timestamp": "2024-02-05", "metric": 10}
{ "index": {}}
{"@timestamp": "2024-02-06", "metric": 10}
{ "index": {}}
{"@timestamp": "2024-02-07", "metric": 10}
{ "index": {}}
{"@timestamp": "2024-02-08", "metric": 10}
POST discuss-352807-index-2/_bulk
{ "index": {}}
{"@timestamp": "2024-02-05", "metric": 3}
{ "index": {}}
{"@timestamp": "2024-02-06", "metric": 3}
{ "index": {}}
{"@timestamp": "2024-02-07", "metric": 3}
POST discuss-352807-index-3/_bulk
{ "index": {}}
{"@timestamp": "2024-02-05", "metric": 1}
{ "index": {}}
{"@timestamp": "2024-02-06", "metric": 1}
Define an alert rule that runs this ES|QL query to get the number of indices with at least one document. The rule will trigger if there's at least one index that passes the first where condition and it will not trigger if there's no new data in all indices.
from discuss-352807-index-* [METADATA _index]
| stats indexCount = count(_index) by _index
| where indexCount > 0
| stats totalIndices = count(indexCount)
| where totalIndices > 0
In the alert rule this will be triggered by the configured time window so all the indices need to share the same time field.
Does this make sense?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.