We are using metricbeat to monitor containers in our environment. We need to create an email alert to get triggered when any container's CPU usage exceeds 70%.
I was trying to create a rule under "Alerts and Insights" using "Rules and Connectors", however, in the section where it asks to define the Elasticsearch query its only allowing Query DSL not KQL. I watched one video where there was an option to define Elasticsearch query in KQL.
Has KQL been removed from "Rules and Connectors"? If has been removed, is there any tool/way I can convert KQL to QDSL?
My intended KQL is "container.name : * and docker.cpu.total.pct >= 0.7". We're running ELK 8.1.
For your alert you should try metric threshold it should cover the case, in fact it is specifically made for this case and is MORE powerful / flexible that just a DSL Alert
You can have critical and warning levels
Filter by KQL
Group by etc
Here is a sample I don't have docker on this cluster but should point out how
Thanks for the prompt response. I tried it out, however, it didn't work.
I got it working with "Inventory" using the following config. with filter name as agent.hostname : name of the dockerhost.
(used low values just for testing purposes)
Another query which I have is, while specifying "Actions", is it mandatory to use pre-defined actions like {{ context.something }}? Reason being, currently the logs are showing container.id when I used {{ context.group }}, I would rather like to display container.name. How can we customise our own actions ?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
