弹性-检查给定时间范围内的所有值是否都大于阈值X

如何解决弹性-检查给定时间范围内的所有值是否都大于阈值X

我想使用弹性查询在Kibana中创建警报。我正在使用opendistro警报功能。我想检查最近10分钟内cpu.pct字段的所有值是否大于50,如果是,则发出警报。

{
"size": 500,"query": {
    "bool": {
        "filter": [
            {
                "match_all": {
                    "boost": 1
                }
            },{
                "match_phrase": {
                    "client.id": {
                        "query": "42","slop": 0,"zero_terms_query": "NONE","boost": 1
                    }
                }
            },{
                "range": {
                    "cpu.pct": {
                        "from": 10,"to": null,"include_lower": true,"include_upper": true,{
                "range": {
                    "@timestamp": {
                        "from": "{{period_end}}||-5m","to": "{{period_end}}","format": "epoch_millis","boost": 1
                    }
                }
            }
        ],"adjust_pure_negative": true,"boost": 1
    }
},"aggregations": {
    "2": {
        "terms": {
            "field": "client.name.keyword","size": 5,"min_doc_count": 1,"shard_min_doc_count": 0,"show_term_doc_count_error": false,"order": {
                "_key": "desc"
            }
        },"aggregations": {
            "3": {
                "terms": {
                    "field": "component.name","size": 1000,"order": [
                        {
                            "1": "desc"
                        },{
                            "_key": "asc"
                        }
                    ]
                },"aggregations": {
                    "1": {
                        "avg": {
                            "field": "cpu.pct"
                        }
                    }
                }
            }
        }
    }
}

我有以下查询计算平均值,但这是不正确的。

否定情况:值(100、100、100、100、100、100、0、0、0、0)|发出警报:否(平均:60)

正例:值(60,60,60,60,60,60,60,60,60,60,60)|发出警报:是(平均:60)

如何检查所有值?

解决方法

我不确定您要使用哪个应用程序来触发警报。解决您的问题的一种方法是通过两个过滤器聚合:

  1. totalInLast10Min:这是为了获取最近10分钟内被编制索引的文档总数。
  2. totalInLast10MinAboveTh:这是为了获取最近10分钟内被编制索引的文档总数,并且该字段的值超过阈值。

如果totalInLast10Min == totalInLast10MinAboveTh,则触发警报。

例如

创建索引

PUT test
{
  "mappings": {
    "properties": {
      "timestamp": {
        "type": "date","format": "yyyy-MM-dd HH:mm:ss"
      }
    }
  }
}

添加一些文档

POST test/_doc
{"cpu":20,"timestamp":"2020-08-18 20:20:00"}

POST test/_doc
{"cpu":100,"timestamp":"2020-08-18 20:21:00"}

POST test/_doc
{"cpu":90,"timestamp":"2020-08-18 20:29:00"}

查询:

GET test/_search
{
  "size": 0,"aggs": {
    "totalInLast10Min": {
      "filter": {
        "range": {
          "timestamp": {
            "gte": "2020-08-18 20:20:00"
          }
        }
      }
    },"totalInLast10MinAboveTh": {
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "timestamp": {
                  "gte": "2020-08-18 20:20:00"
                }
              }
            },{
              "range": {
                "cpu": {
                  "gte": 80
                }
              }
            }
          ]
        }
      }
    }
  }
}

采样结果:

{
  "took" : 1,"timed_out" : false,"_shards" : {
    "total" : 1,"successful" : 1,"skipped" : 0,"failed" : 0
  },"hits" : {
    "total" : {
      "value" : 3,"relation" : "eq"
    },"max_score" : null,"hits" : [ ]
  },"aggregations" : {
    "totalInLast10MinAboveTh" : {
      "meta" : { },"doc_count" : 2
    },"totalInLast10Min" : {
      "meta" : { },"doc_count" : 3
    }
  }
}

基于两个警报的计数,您可以编写何时触发警报的条件。

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

相关推荐


使用本地python环境可以成功执行 import pandas as pd import matplotlib.pyplot as plt # 设置字体 plt.rcParams['font.sans-serif'] = ['SimHei'] # 能正确显示负号 p
错误1:Request method ‘DELETE‘ not supported 错误还原:controller层有一个接口,访问该接口时报错:Request method ‘DELETE‘ not supported 错误原因:没有接收到前端传入的参数,修改为如下 参考 错误2:cannot r
错误1:启动docker镜像时报错:Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen 解决方法:重启docker -> systemctl r
错误1:private field ‘xxx‘ is never assigned 按Altʾnter快捷键,选择第2项 参考:https://blog.csdn.net/shi_hong_fei_hei/article/details/88814070 错误2:启动时报错,不能找到主启动类 #
报错如下,通过源不能下载,最后警告pip需升级版本 Requirement already satisfied: pip in c:\users\ychen\appdata\local\programs\python\python310\lib\site-packages (22.0.4) Coll
错误1:maven打包报错 错误还原:使用maven打包项目时报错如下 [ERROR] Failed to execute goal org.apache.maven.plugins:maven-resources-plugin:3.2.0:resources (default-resources)
错误1:服务调用时报错 服务消费者模块assess通过openFeign调用服务提供者模块hires 如下为服务提供者模块hires的控制层接口 @RestController @RequestMapping("/hires") public class FeignControl
错误1:运行项目后报如下错误 解决方案 报错2:Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.8.1:compile (default-compile) on project sb 解决方案:在pom.
参考 错误原因 过滤器或拦截器在生效时,redisTemplate还没有注入 解决方案:在注入容器时就生效 @Component //项目运行时就注入Spring容器 public class RedisBean { @Resource private RedisTemplate<String
使用vite构建项目报错 C:\Users\ychen\work>npm init @vitejs/app @vitejs/create-app is deprecated, use npm init vite instead C:\Users\ychen\AppData\Local\npm-
参考1 参考2 解决方案 # 点击安装源 协议选择 http:// 路径填写 mirrors.aliyun.com/centos/8.3.2011/BaseOS/x86_64/os URL类型 软件库URL 其他路径 # 版本 7 mirrors.aliyun.com/centos/7/os/x86
报错1 [root@slave1 data_mocker]# kafka-console-consumer.sh --bootstrap-server slave1:9092 --topic topic_db [2023-12-19 18:31:12,770] WARN [Consumer clie
错误1 # 重写数据 hive (edu)> insert overwrite table dwd_trade_cart_add_inc > select data.id, > data.user_id, > data.course_id, > date_format(
错误1 hive (edu)> insert into huanhuan values(1,'haoge'); Query ID = root_20240110071417_fe1517ad-3607-41f4-bdcf-d00b98ac443e Total jobs = 1
报错1:执行到如下就不执行了,没有显示Successfully registered new MBean. [root@slave1 bin]# /usr/local/software/flume-1.9.0/bin/flume-ng agent -n a1 -c /usr/local/softwa
虚拟及没有启动任何服务器查看jps会显示jps,如果没有显示任何东西 [root@slave2 ~]# jps 9647 Jps 解决方案 # 进入/tmp查看 [root@slave1 dfs]# cd /tmp [root@slave1 tmp]# ll 总用量 48 drwxr-xr-x. 2
报错1 hive> show databases; OK Failed with exception java.io.IOException:java.lang.RuntimeException: Error in configuring object Time taken: 0.474 se
报错1 [root@localhost ~]# vim -bash: vim: 未找到命令 安装vim yum -y install vim* # 查看是否安装成功 [root@hadoop01 hadoop]# rpm -qa |grep vim vim-X11-7.4.629-8.el7_9.x
修改hadoop配置 vi /usr/local/software/hadoop-2.9.2/etc/hadoop/yarn-site.xml # 添加如下 <configuration> <property> <name>yarn.nodemanager.res