我试图让Logstash在10分钟内收到超过1000个项目后才提醒我。 我需要Hipchat和PagerDuty的警报。
我的configuration似乎是合理的,但不能按预期工作。
filter { if my_filtering_conditional_that_is_100%_correct { throttle { before_count => 1000 period => 600 add_tag => ["PD"] key => "string" } clone { add_tag => ["Count"] } } if "Count" in [tags] { throttle { before_count => 1000 period => 600 add_tag => ["HC"] key => "string" } } } output { if "PD" in [tags] { pagerduty { event_type => trigger incident_key => "logstash/Logstash" service_key => Pagerduty_API_key workers => 1 description => "Alert message" } } if "HC" in [tags] { hipchat { color => "random" from => "Logstash" format => "Alert message" room_id => "Room" token => "token" } } } 使用指标筛选器可能会取得更好的成效。
filter { my_filtering_conditional_that_is_100%_correct { metrics { meter => [ "events" ] flush_interval => 600 clear_interval => 600 add_tag => "events" } } } output { if "events" in [tags] { if [events][count] > 1000 { # do things } } }
我认为你最好的select是使用http://riemann.io/ 。 它处理事件“stream动”,这种逻辑在这里不难代表。
以下链接的示例会在有多个特定types的5个事件时创build警报:
(streams (where (<= 0 metric 5) (with :state "ok" index) (else (with :state "warning" index))))
http://riemann.io/howto.html#set-thresholds
问候,