I've been working around with "Rules and Connectors" and "Detection Rules" in order to get a notification when one of my beats stops sending data. Each beat has different indexes, so i would like to "know" if for any reason any of them stops sending data.
Ive created a Rule in "Rules and Connectors" that looks like this:
INDEX TRESHOLD
select an index
INDEX winlogbeat-*
WHEN count ()
OVER all documents
define the condition
IS BELOW OR EQUALS 1
FOR THE LAST 20 minutes
the problem with that is that it looks like the rule doesnt want to read "zero" documents.
If the rule was to trigger something Higher or equals to 1, it does trigger an alert.
To trigger those "zero documents", i dont have any kind of alert.
Is there any workaround about that?
Am i doing something wrong?
Is there an easier way to have alerts when indexes have 0 documents?
But, until it gets done, is there any way to do it without without this feature? Like, using a plugin, or something else?
Im not figuring it out any other way to do it
There's no workaround as far as I know, since the problem involves the LACK of data.
However, we fixed a similar bug in the ES Query alerting rule type, and if you're rule is as simple as what's shown above, that might work out fine for you.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
