elasticsearch 如何筛选Sentinl的日期范围?
因此,我们已经开始实施Sentinl来发送警报。如果发送的错误数超过了指定的阈值,我已成功获取发送的错误数 我真正挣扎的是过滤最后一天 有人能给我指一下正确的方向吗 随信附上脚本:
elasticsearch 如何筛选Sentinl的日期范围?,
elasticsearch,
elasticsearch,因此,我们已经开始实施Sentinl来发送警报。如果发送的错误数超过了指定的阈值,我已成功获取发送的错误数 我真正挣扎的是过滤最后一天 有人能给我指一下正确的方向吗 随信附上脚本: { "actions": { "Email Action": { "throttle_period": "0h0m0s", "email": { "to": "juan@company.co.za", "from": "elk@company.co.
{
"actions": {
"Email Action": {
"throttle_period": "0h0m0s",
"email": {
"to": "juan@company.co.za",
"from": "elk@company.co.za",
"subject": "ELK - ERRORS caused by CreditDecisionServiceAPI.",
"body": "{{payload.hits.total}} ERRORS caused by CreditDecisionServiceAPI. Threshold is 100."
}
},
"Slack Action": {
"throttle_period": "0h0m0s",
"slack": {
"channel": "#alerts",
"message": "{{payload.hits.total}} ERRORS caused by CreditDecisionServiceAPI. Threshold is 100.",
"stateless": false
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"index": [
"*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"appName": "CreditDecisionServiceAPI"
}
},
{
"match": {
"level": "ERROR"
}
},
{
"range": {
"timestamp": {
"from": "now-1d"
}
}
}
]
}
}
}
}
}
},
"condition": {
"script": {
"script": "payload.hits.total > 100"
}
},
"transform": {},
"trigger": {
"schedule": {
"later": "every 15 minutes"
}
},
"disable": true,
"report": false,
"title": "watcher_CreditDecisionServiceAPI_Errors"
}
因此,需要明确的是,这是被查询忽略的部分:
{
"range": {
"timestamp": {
"from": "now-1d"
}
}
}
您需要更改它,并在范围之前添加过滤器Json标记,如下所示:
"filter": [
{
"range": {
"timestamp": {
"gte": "now-1d"
}
}
}
]
我们终于解决了这个问题 Elastic search多次更改其DSL,因此请注意,您需要查看您使用的版本以获得正确的解决方案。我们的版本是:6.2.3 以下查询最终成功:
"query": {
"bool": {
"must": [
{
"match": {
"appName": "CreditDecisionServiceAPI"
}
},
{
"match": {
"level": "ERROR"
}
},
{
"range": {
"@timestamp": {
"gte": "now-1d"
}
}
}
]
}
}
他们已经从过滤器中删除了范围,并将其添加到查询中。谢谢你给我指出了正确的方向!另外,对于未来的读者来说,上述答案对于旧版本是正确的。哦,注意字段类型。在我们的例子中,出于某种原因,我们发送了一个名为timestamp的文本字段,但范围需要一个名为@timestamp的datetime字段。实际上,在我们的系统中,该字段名为
@timestamp
,但我尝试为您的系统以相应的方式编写此变量-您是对的,我为您编写了弹性5.x的答案。