How can I filter my watcher for specific IP's?

Hi guys,

Currently the metricbeat index brings me information from many servers. What I want to do is alert when cpu consumption is above 75% for three specific IP's and not for all servers that are monitored with metricbeat and point to the same index.

How can I make the filter for these three ip's?

Hey,

so what query have you tried so far? My suggestion would be to take a look at the bool query, that contains a filter array. This array will consist of a terms query for the ips and a range query for the cpu percentage.

You possibly also want to limit by timestamp for the last 5 minutes.

--Alex

Hi,

This was my watcher:

PUT /_watcher/watch/w_saex_qa_cpu
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "metricbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body":   {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "term": {"host.ip": ["118.180.61.23","118.180.61.24","118.180.61.25"]}
                  
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1m"
                    }
                  }
                }
              ],
              "must": [
                {
                  "range": {
                    "system.cpu.total.norm.pct": {
                      "gte": 0.001
                    }
                  }
                }
                //{"match": {"host.ip": "118.180.61.23"}},
              ]
            }
          },
          "aggs": {
            "ipAddress": {
              "terms": {
                "field": "host.ip",
                "size": 10
              },
              "aggs": {
                "hostname": {
                  "terms": {
                    "field": "host.hostname",
                    "size": 10
                  },
                  "aggs": {
                    "max_cpu": {
                      "max": {
                        "field": "system.cpu.total.norm.pct",
                        "format": "0.0%"
                      }
                    }
                  }
                }
              }
            }
          },
          "sort": [
            {
              "@timestamp": {
                "order": "desc"
              }
            }
          ]
  }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "log": {
      "logging": {
        "text": "{{#toJson}}ctx.payload.aggregations.hostname{{/toJson}}"
      }
    },
    "send_email": {
      "throttle_period_in_millis": 300000,
      "condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "gt": 0
          }
        }
      },
       "email": {
        "profile": "standard",
        "to": [
          "<bryan.duran.contractor@bbva.com>"
        ],
        "subject": "[elastic] Warning Incident started: Alerta - Alto consumo de CPU - Maquinas > 80% ",
        "body": {
          "html": "          <h3> Maquinas con CPU superior a 80%</h3>\n          <ul>\n          {{#ctx.payload.aggregations.ipAddress.buckets}} \n      <li> Ip Address:  {{key}}{{#hostname.buckets}}\n      - CPU: {{max_cpu.value_as_string}}</li>\n           {{/hostname.buckets}}\n               {{/ctx.payload.aggregations.ipAddress.buckets}}\n          </ul>"
        }
      }
    }
  }
}

POST _watcher/watch/w_saex_qa_cpu/_execute

Regards

can you explain what is not working and share the output of the execute watch api or the watch history?

Is the query working as expected or not, if you run it standalone?

Also the condition in the email action is unneeded, as it is the same than the main condition.

Hi,

The problem was that it was only required to send the alert when 3 specific CPUs exceeded the threshold. I was defining it like this "term": {"host.ip": ["118.180.61.23","118.180.61.24","118.180.61.25"]} cuando debio ser de esta manera "terms": {"host.ip": ["118.180.61.23","118.180.61.24","118.180.61.25"]}
The result of the watcher is as follows:
image

But the problem now is that I want the percentages to be shown as they are shown on my dashboard and not as shown in the email which is rounding the results.

The dashboard shows the value of 0.188% but in my email it is rounded to 0.20%

Regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.