I am trying to implement alerts on my data present in elasticsearch using ElastAlert. I would like to know if there is a way to use environment variables or properties file or by exporting the values for changing the fields present in rule types in ElastAlert instead of going and changing the values manually in the rule files to reduce the possibility of an error.
For example, my spike rule configuration looks like this:
name: Event spike
type: spike
index: alerting-logs-*
threshold_cur: 300
timeframe: minutes: 2
spike_height: 2
spike_type: "up"
query_key: HostName
filter:
- query:
query_string: {query: 'smcfsloglevel:ERROR'}
alert:
- "email"
email:
- "someuser#email.com"
Now if I want to change the value of threshold_cur from 300 to, say, 500, can I somehow do it without going to the spike rule file like by exporting like threshold_cur: ${thr_cur}
Does anyone have an idea to achieve this?
Have you tried defining threshold_cur in your main elastalert.yml file?
current_threshold:300
And then in your rule file, reference the threshold_cur value:
threshold_cur: {{current_threshold}}
I am doing something like this in an alert file that sends an email, and it works.
Related
I'm checking daily if certain files exist in a folder on-prem. The files have a specific format, but the first few letters indicate specific job. For example, xyz-yyyyMMdd.csv, or abc-yyMMdd.csv etc
I would like to use switch activity to see if the file for each job has arrived or an alert should be used. How can I dynamically let the switch activity read the 'xyz' portion knowing that the other part of the file name is dynamic?
Thank you
If number of your few letters is three as you said, you can try this expression:
#substring(item().name,0,3)
If no, you can try this:
#split(item().name,'-')[0]
Here is my test:
I've just gotten started with ElastAlert and I love it. I have an application up and running that basically sends me e-mails. My problem now is that the e-mails contain a whole bunch of unnecessary information that I would like to remove.
I've looked around but haven't found any way of doing this. Is there a simple way how I can change the content of my e-mail to make it a bit simpler? Such as specifying exactly which fields I want to see.
Best regards! And thank you in advance.
Example rule config part for custom email content.
alert:
- "email"
alert_text_type: alert_text_only
alert_text: "
Disk Used : {0:.2%}\n
Mount Point : {1}\n
Host : {2}\n
Timestamp : {3}"
alert_text_args: ["system.filesystem.used.pct","system.filesystem.mount_point","beat.hostname","#timestamp"]
email:
- "devops#example.com"
Email Content Sample:
Disk Used : 85.00%
Mount Point : /
Host : example_hostname
Timestamp : 2019-01-14T06:04:46.221Z
Reference
I am trying to separate files in an Elm project, as keeping everything in global Model, Messages, etc. would be just a mess.
Here is how I tried it so far:
So, there are some global files, and then Header has its own files. However I keep getting error, when importing Header.View into my global View:
The 1st and 2nd entries in this list are different types of values.
Which kind of makes sense:
The 1st entry has this type:
Html Header.Messages.Msg
But the 2nd is:
Html Msg
So, my question is whether all the messages (from all my modules, like Header) needs to be combined somehow in global Messages.elm? Or there is a better way of doing this?
My advice would be to keep messages and update in 1 file until that feels uncomfortable (for you to decide how many lines of code that means - see Evan's Elm Europe talk for more on the modules flow). When you want to break something out, define a new message in Main
type Msg
= HeaderMsg Header.Msg
| ....
Then use Cmd.map HeaderMsg in your update function and Html.map HeaderMsg in your view function to connect up your sub-components
I'm trying to call a http endpoint. For that I need to specify a url that uses a query string to filter data.
Sample URL: http://example.com?date=2017-10-04T22:18.007Z
I need to use the current system time as a value for date query string.
I created a script and assigned the generated url with the current datetime to a variable. However, when I assigned that variable for the url field in the source HTTP definition, it did not resolve the variable.
Is there a way to solve this issue?
I do this all the time. As long as your script is running properly (you can test that with the test feature on the script), you are writing the URL value to a global variable (something like $URL), and you are writing that global variable out in your target (something like [URL]), it should work.
If you want to show your script (just where you are creating the URL), and your target URL field that could help narrow down the problem.
I'm trying to link logstash events with the eventual file location on AWS S3. We have the logstash agent indexing files directly, and when the file has finished being written to, we send it to S3.
To increase S3 performance, we're fanning out files by storing them like so:
hex(md5(filename.log))[0..2]/filename.log
This takes the first 3 characters of the md5 hexdigest, and stores the file in the folder with that prefix, providing a fairly solid fan out of files. Unfortunately, I can't work out how to tag each log event with this information.
There is the ruby filter type which allows you to execute ruby code, but I don't think it allows you to use the result of the computation.
filter {
ruby {
code => "require 'digest/md5'; Digest::MD5.hexdigest("mylong.file.name")[0..2]"
# now what?
}
}
Is there a way of attaching a tag or field based on a prefix of the md5?
Your code will have a variable event which is the event itself.
To add a field "foo" with value "bar", you could write something like this:
event["foo"] = "bar"
See how the file input does it, for example.
If you find your code is a bit unwieldy, in a config file, you could write your own input or filter plugin.
Try this:
filter {
ruby {
code => "require 'digest/md5';
event['md5'] = Digest::MD5.hexdigest("mylong.file.name")[0..2]"
}
}
The "md5" field is what you want.