I am working on the Email Alert functionality, where i came different scenario like
Let's Suppose I have configured the metricbeat & filebeat in 10 servers which will send the data to the Elastics cluster. Among 10 servers, If any one of the server went down and it will
not return the data of that particular server to the Elastic cluster. So, now i want to send the email alert to the user about the node details which went down.
So, I am unable to create the Alert based on the node wise
Is there any way to achieve the Email Alert when any one of the node is not sending the documents to the Elastic cluster
The first thing is to draft a query that can display such data - until this is done there is no need to think about a watch.
How about this:
Query for data in the last 30 minutes, now-30m
Aggregation: Filter on time now-15m, terms aggregration on beat hosts
Aggregation: From on time -15m-30m, , terms aggregration on beat hosts
Now with this . response you could check if the aggregation response contains different hosts and if there are hosts in the second agg that dont exist in the first. If that is the case, you got a host that is not sending data anymore.
Its common problem , so I wrote a blog post on that topic. Have a read and see it if you can use it. We use this approach on many indices and works well for us.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.