Let's imagine that every 10 minutes, an application sends to Elasticsearch an information telling me if there is an error or not :
The application send me two kind of data : Host : host1 and Status : OK
or Host : host1 and Status : Error
So, i want to create an alet when the application send me an error. This is EASY no problemo.
But after, if the problem is fixed, the application will send me Status : OK (because the error is fixed). And then, I want to resend an alert who said :
"Your error on Host1 is fixed"
How can i do this ? Knowing that I receive data from several hosts
Kibana alerting has a concept of "recovered" alert status. Once an alert is active, the next time the rule runs and that alert is NOT active, it will fire the "recovered" action. You need to configure that action separately, and it can be different from the "active" alert action.
Note: the other constraint is you want a rule that operates over multiple possible alerts during the same run. I'd look at index threshold and metric threshold rule types for that. The elasticsearch query rule type only generates a single alert each run (whether the count of the returned search docs met a threshold).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.