I'm thinking about using X-Pack Watcher for alerting when some of our components stopped to send data to ELK.
I.e. there is no new data from certain source recently.
- There is quick&dirty solution by just create individual watcher per data source (i.e. "host", "type", ...). Seems really ugly.
- Combine different sources in one watcher using array. A little better, but still static list.
- "We saw messages from these sources in the past - let's check if we see them recently" - I'm not sure what is the best way to implement this logic.
- ML ? How?
What do you think?
I'm curious if someone already implemented similar thing.