Use case where a query that displays all rows which will have not had an update within 3 minutes as status=DOWN

bkleynbok · November 4, 2019, 4:13pm

Hello,

I am using ELK Stack 7.3.2 and working on a use case where a query that displays all rows which will have not had an update within 3 minutes as status=DOWN.

I am using Canvas to visualize events from Kafka topic. Lets say I get a message like this:{"processName":"SM1","processType":"serviceManager","status":"DOWN","update":"2h14m","hostname":"devvm20"}
and then within 3 minutes I would not get it.

In ES SQL I would be something like this but I am not able to get it work.

filters
    | essql 
      query="SELECT processName, processType, hostname, \"@timestamp\" as Time FROM \"boris-index\" WHERE \"@timestamp\" < NOW() - INTERVAL 3 MINUTES AND \"@timestamp\" < TODAY()"
    | table
    | render

I would like to be able to show status=DOWN when I have not get an update within 3 minutes. Then it would be helpful to combine with another query which and able to show that row is now of status=UP

Please help me out.

Marius_Dragomir · November 18, 2019, 9:56pm

Wouldn't it be easier to read when you display a count of documents received from each processName with a 3m interval for the bucket, so it should display 1 if up and 0 if it's down?

system · December 16, 2019, 9:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.