How to set alert on total size of indices matching a pattern?

Elastic Stack Elasticsearch
1

Hi!
I've posted this question on SO: elastic stack - Elasticsearch how to set alert on total size of indices matching a pattern? - Stack Overflow but am re-posting it here in hopes to get a more focused audience :slight_smile:

I would like to set an Alert Rule in Elastic - to trigger an alert when a total size of indices, matching a specific pattern, exceeds some limit.

I know how to get the total size by running a query:

GET /.ds-elastic-cloud-logs*/_stats

this would give me:

...
"_all": {
"primaries": {
  "docs": {
    "count": 12865686,
    "deleted": 0
  },
  "shard_stats": {
    "total_count": 5
  },
  "store": {
    "size_in_bytes": 2205540490,
    "total_data_set_size_in_bytes": 2205540490,
    "reserved_in_bytes": 0
  },
...

and the value I'm looking for is: "size_in_bytes": 2205540490

But I could not find how to create an alert based on this value...
I looked at the "index threshold" type of alerts: Index threshold | Kibana Guide [master] | Elastic - and while I am able to specify the index pattern (.ds-elastic-cloud-logs*) in the rule - the "size-in-bytes" field is not available for use in the alert...

Also looked at the "elasticsearch query" type of alerts: Elasticsearch query | Kibana Guide [master] | Elastic - but I can only get a count of documents returned by a query to be used as the metric, not the size of indices ...

Any other way to achieve what I want?
Thank you!
Marina

2

Hi @ppine7

Have you tried to create a pipeline that gets information from the _stats API and saves it in another index? In this other index that will make the storage summary, you can create an alert for the desired field. Another possibility, if applicable to your scenario, is the use of ILM to manage your index storage and perform the rollup.
ILM: Manage the index lifecycle | Elasticsearch Guide [8.7] | Elastic

Best regards

3

Hi,
I am afraid you cannot (at least for now) call an arbitrary API with Kibana alert Rules.
I would go with the Watcher, which is more flexible. You could get inspiration from sample Watches repo, like this one: examples/Alerting/Sample Watches/large_shard_watch at master · elastic/examples · GitHub

4

Thank you, @grfneto ! I was looking for something out of the box for Alerts - will keep this option in mind too. And I do use ILM - but wanted to add alerts as a precaution as well.

1 Like
5

Thank you, @vincenbr ! I was hoping to have an out-of-the-box option like that for Alerts - will keep the Watch approach in mind - although as I checked the GIT repo example - it does look quite intimidating :slight_smile:

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.