Kibana Alert When No Metricbeat Data - to include hostname

abidub · July 19, 2022, 4:15pm

Hi there,

I would like to receive an alert when any of the hosts that I have Metricbeat installed on, now longer reports in data, for whatever reason (it could be stopped, server is turned off etc.).

I want to avoid having to maintain an inventory list of servers I have installed Metricbeat on.

I know I can do an elastic query to check of metricbeat returns any hits for a particular server/servers, but is there any clever way to configure a simple alert that just tells me Metricbeat has no hits from a [hostname(s)], without me having to provide the hostnames to query.

If I do need to provide the hostnames, I am having trouble in returning that hostname in a watcher payload because hits = 0.

Any direction appreciated

Thanks

Marius_Dragomir · July 23, 2022, 5:31pm

You can use Alerting instead of Watcher. This allows you to configure a Log Threshold rule something like this:

Just replace the field names and intervals to what fits your data. For example instead of machine.os.keyword, use hostname and for geo.src use a field in the metricbeat documents that will always be there.

abidub · August 6, 2022, 12:11pm

Thank you! That worked great

system · September 3, 2022, 12:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.