How to show Memory Usage is at values percent

Elastic Stack Elasticsearch
1

Hi, @spinscale
I'm having trouble with settings alerts for my memory usage. I'm using Metricbeat which is stashing only the memory metrics to Elasticsearch.

This is the JSON for the watch that I've configured:

PUT _xpack/watcher/watch/mem_warning
{
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"search": {
"request": {
"indices": [
"metricbeat-*"
],
"body": {
"size": 10,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from" : "now-7h"
}
}
},
{
"term": {
"metricset.name" : "memory"
}
},
{
"range": {
"system.memory.used.pct" : {
"from" : 0.75
}
}
}
]
}
},
"aggs": {
"hosts": {
"terms": {
"field": "beat.hostname",
"size": 10
}
}
}
}
}
}
},
"condition" : {
"script" : "return ctx.payload.aggregations.hosts.buckets.size() > 0"
},
"actions": {
"send_email": {
"transform" : {
"script" : {
"inline": "return [ 'hosts' : ctx.payload.aggregations.hosts.buckets.stream().map(b -> b.key).collect(Collectors.toList())]"
}
},
"email": {
"to": "thanadol.thad@wealth.co.th",
"subject": "Watcher Notification - HIGH MEMORY USAGE",
"body": "Hosts with HIGH MEMORY Usage (above 75%):\n\n{{ctx.payload.hosts}}\n\n Memory Usage is at: ... %"
}
}
}
}

I'm following Watching the watches: Writing, debugging and testing watches | Elastic Blog ,but it show one host.

I need that outputs to show hosts and values.
Example.

" Hosts with HIGH MEMORY USAGE (above 75%): hosts1 Memory Usage is at: 80.65%, hosts2 Memory Usage is at: 87.13% "
or
" Hosts with HIGH MEMORY USAGE (above 75%): hosts1,hosts2,hosts3 Memory Usage is at: 80.65%, 87.13%, 76.01% "

Thanks.

2

Hey,

I do not understand where your exact problem is at the moment. When you take a look at your aggregation, there is only an aggregation on the hostname, so this is the data you are getting from the search response. If you want to also get the memory usage, you may need to add another sub-aggregation that calculates max or average of the memory field in your data.

First start with the query, and only if that contains all the results, start writing a watch. The tricky part is usually the query, not the watch itself.

--Alex

3

thank for reply @spinscale
if i used sub-aggregation avg or max
Example

       "aggs": {
        "hosts": {
          "terms": {
            "field": "beat.hostname",
            "size": 10
          },
          "aggs": {
            "values": {
              "avg": {
                "field": "system.memory.used.pct"
              }
            }
          }
        }
      }

how to refer to sub-aggregation at action in body?

Example condition and action

"condition" : {
"script" : "return ctx.payload.aggregations.hosts.buckets.size() > 0"
},
"actions": {
"send_email": {
"transform" : {
"script" : {
"inline": "return [ 'hosts' : ctx.payload.aggregations.hosts.buckets.stream().map(b -> b.key).collect(Collectors.toList())]"
}
},
"email": {
"to": "thanadol.thad@wealth.co.th",
"subject": "Watcher Notification - HIGH MEMORY USAGE",
"body": "Hosts with HIGH MEMORY Usage (above 75%):\n\n{{ctx.payload.hosts}}\n\n
Memory Usage is at: ... % \n\n
at times: {{ctx.trigger.triggered_time}} \n\n"
}
}
}

thanks.

4

Hey.

how about this transform?

    "transform": {
      "script": {
        "inline": "return ['hosts': ctx.payload.aggregations.hosts.buckets.stream().map(b -> [b.key: b.values.value]).collect(Collectors.toList()) ]"
      }
    },

--Alex

1 Like
5

Sorry for the trance question and a little grammar.
I think you are amazing and thanks for help me. :smile: @spinscale

1 Like
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.