Watches for flatline

We're evaluating the Elastic Cloud to replace an existing cluster we managed ourselves. We have some services that log their behaviour to Elasticsearch and we were previously using Elastalert to alert if any of them flatlined.
I'm looking at the Watches capability of X-Pack - is there an equivalent for alerting based on the lack of something happening - i.e. alert if nothing is received in 2 minutes?

Also, is it possible to configure X-Pack in Elastic cloud to send these alerts to Slack?

Thanks

hey,

you could write a watch that uses a query which queries the last 10 minutes. Then you could have an aggregation that aggregates on the last 5 minutes and one on the last -5-10m. Within that aggregation you could have a terms agg on the hostnames (or whatever else you need). Using those aggs result, you could check if the output of the found hosts is different between those two time windows. If a host is missing (or maybe also if it has been added) then it is time to send an alert.

and yes, it is possible to send alerts using slack. See https://www.elastic.co/guide/en/elastic-stack-overview/6.4/actions-slack.html

hope that makes sense.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.