I'm thinking about using X-Pack Watcher for alerting when some of our components stopped to send data to ELK.
I.e. there is no new data from certain source recently.
There is quick&dirty solution by just create individual watcher per data source (i.e. "host", "type", ...). Seems really ugly.
Combine different sources in one watcher using array. A little better, but still static list.
"We saw messages from these sources in the past - let's check if we see them recently" - I'm not sure what is the best way to implement this logic.
ML ? How?
What do you think?
I'm curious if someone already implemented similar thing.
TIA,
Vitaly
Hi,
If you have data that should get into the cluster regulary you may build a watcher that check how old is the timestamp of the last inserted entry. If > than x then fire alarm.
ML can easily do this with a job that would use the low_count detector. If the data source is a single index, then a Single Metric job will do the trick.
If there are multiple "types" in the index, then the Multi-metric Job is the right choice, splitting on the type field (or whatever you want to split on)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.