Hi all,
Is it possible to monitor the number of shards per node using watchers?
I would like to be able to trigger an alert when the result of the GET _cat/allocation?v&h=node,shards returns, for at least one node, a value greater than 500.
Thank you for your help.
Cristina Marletta Livi
Hello @Cristina_Marletta_Li
Yes, it is possible using watcher. Below is just an example, you might have to update as per your requirement.
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"http": {
"request": {
"scheme": "https",
"host": "elk-end-point",
"port": 9243,
"method": "get",
"path": "/_cat/allocation",
"params": {
"format": "json",
"h": "node,shards"
},
"headers": {},
"auth": {
"basic": {
"username": "user",
"password": "password"
}
}
}
}
},
"condition": {
"script": {
"source": """
for (def entry : ctx.payload.data) {
if (Integer.parseInt(entry.shards) > 500) {
return true;
}
}
return false;
""",
"lang": "painless"
}
},
"actions": {
"log_alert": {
"logging": {
"level": "info",
"text": "One or more nodes have more than 500 shards."
}
}
}
}
Thanks!!
Thanks @Tortoise . I wonder: are there other, more advisable ways to monitor the number of shards via an alerting mechanism? A rule, for example.
Hi @Tortoise ,
I tried your script.
Running 'Simulate', I get a certificate error: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How can I get over it?
Thanks for your help
Cristina
Hello @Cristina_Marletta_Li
Other way is you can try to use synthetics in Kibana to monitor the URL & the output we capture is as below :
On the synthetics response you can use the regex to see if output of shards is greater > 499 , on this automatically the synthetics will trigger alert :
Response body contains :
"shards":"(5\d{2}|[6-9]\d{2}|\d{4,})"
If you still plan to use Watcher please share what watcher you are using for which the error was shared?
Thanks!!
Hi Tortoise,
this is my watcher definition:
{
"trigger": {
"schedule": {
"interval": "12h"
}
},
"input": {
"http": {
"request": {
"scheme": "https",
"host": "127.0.0.1",
"port": 9200,
"method": "get",
"path": "/_cat/allocation",
"params": {
"h": "node,shards",
"format": "json"
},
"headers": {}
}
}
},
"condition": {
"script": {
"source": "for (def entry : ctx.payload.data) {if (Integer.parseInt(entry.shards) > 500) {return true;}} return false;",
"lang": "painless"
}
},
"actions": {
"log_alert": {
"logging": {
"level": "info",
"text": "One or more nodes have more than 500 shards."
}
}
}
}
the simulation returns:
{
"type": "s_s_l_handshake_exception",
"reason": "(certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
}
The Elasticsearch configuration contains:
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
certificate_authorities: certs/http_ca.crtxpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
The curl test is ok:
curl https://127.0.0.1:9200 (external, opens in a new tab or window) -v --cacert /etc/elasticsearch/certs/http_ca.crt Trying 127.0.0.1:9200... Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
So, I don't understand where the mistake lies.
Hello @Cristina_Marletta_Li
As per the post :
In the elasticsearch.yml we need to add below entry :
If it is for testing environment can use below (not secure):
xpack.http.ssl.verification_mode: none
For Prod need to use below :
xpack.http.ssl.certificate_authorities: ["/path/to/http_ca.crt"]
Documentation :
https://www.elastic.co/docs/reference/elasticsearch/configuration-reference/watcher-settings
Thanks!!
Hi @Tortoise ,
now it’all ok!
Tnx so much.
Just one more question: On which types of nodes should I configure watchers: hot nodes, masters, etc.? For example, email accounts and xpack.http.ssl.certificate_authorities in elasticsearch.yml.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.