我试图让 Logstash 仅在 10 分钟内收到超过 1000 个项目后才向我发出警报。我需要 Hipchat 和 PagerDuty 中的警报。
我的配置看似合理,但是却没有按预期工作。
filter {
if my_filtering_conditional_that_is_100%_correct {
throttle {
before_count => 1000
period => 600
add_tag => ["PD"]
key => "string"
}
clone {
add_tag => ["Count"]
}
}
if "Count" in [tags] {
throttle {
before_count => 1000
period => 600
add_tag => ["HC"]
key => "string"
}
}
}
output {
if "PD" in [tags] {
pagerduty {
event_type => trigger
incident_key => "logstash/Logstash"
service_key => Pagerduty_API_key
workers => 1
description => "Alert message"
}
}
if "HC" in [tags] {
hipchat {
color => "random"
from => "Logstash"
format => "Alert message"
room_id => "Room"
token => "token"
}
}
}
答案1
您可能会更成功地使用指标筛选。
filter {
my_filtering_conditional_that_is_100%_correct {
metrics {
meter => [ "events" ]
flush_interval => 600
clear_interval => 600
add_tag => "events"
}
}
}
output {
if "events" in [tags] {
if [events][count] > 1000 {
# do things
}
}
}
答案2
我认为你最好的选择是使用http://riemann.io/。它处理事件“流”,并且这种逻辑并不难在那里表示。
以下链接中的示例在某种类型的事件超过 5 个时创建警报:
(streams
(where (<= 0 metric 5)
(with :state "ok" index)
(else
(with :state "warning" index))))
http://riemann.io/howto.html#设置阈值
问候,