KibanaAlerts的Action欄位說明
來源:200-Areas/210-工程師修煉/ELK/Kibana_Alert設定
Actions 內容設定
Elasticsearch query | Kibana Guide [7.13] | Elastic
路徑: Stack Management -> Alerts And Insights --> Rules and Insights
範例
// 原始樣貌
{
"type":"log",
"@timestamp":"2023-06-02T10:18:35+00:00",
"tags":["fatal","plugins","actions","actions"],
"pid":1504523,
"message":"Server log: 【alert 'TEST' matched query】:9 > 4, 45 s。{; \"query\":{; \"match_all\" : {}; };}"
}
// 設定內容
【】: 實際值 臨界值 在 內。查詢條件 =
// message的內容
【Apple-check】 Server log: 【alert 'TEST' matched query】: 實際值 24 > 臨界值 4 在 45 s 內。查詢條件 = {; "query":{; "match_all" : {}; };}
alert.actionGroup:query matched;
alert.actionGroupName:Query matched;
alert.actionSubgroup:;
alert.id:query matched;
context.conditions:Number of matching documents is greater than 5
context.date:2023-06-02T08:33:16.735Z
context.hits: # 看起來ESQuery的完整結果
context.message:alert 'TEST' is active:;;- Value: 6;- Conditions Met: Number of matching documents is greater than 5 over 5m;
context.title:alert 'TEST' matched query;
context.value:6;
kibanaBaseUrl:;
params.esQuery:{; "query":{; "match_all" : {}; };};
params.index:logstash-iis-cpgorder-202*;
params.size:200;
params.threshold:5;
params.thresholdComparator:>;
params.timeWindowUnit:m;
params.timeWindowSize:200
rule.id:97bacdc0-feae-11ed-a92c-b396f271d0f7;
rule.name:TEST;
rule.spaceId:default;
rule.tags:;
rule.type:.es-query
Action Variables 欄位說明
context.title
A preconstructed title for the rule. Example: rule term match alert query matched.
context.message
A preconstructed message for the rule. Example:
rule 'term match alert' is active:
- Value: 42
- Conditions Met: count greater than 4 over 5m
- Timestamp: 2020-01-01T00:00:00.000Z
context.group
The name of the action group associated with the condition. Example: query matched.
context.date
The date, in ISO format, that the rule met the condition. Example: 2020-01-01T00:00:00.000Z.
context.value
The value of the rule that met the condition.
context.conditions
A description of the condition. Example: count greater than 4.
context.hits
The most recent ES documents that matched the query. Using the Mustache template array syntax, you can iterate over these hits to get values from the ES documents into your actions.
context.title
A preconstructed title for the rule. Example: rule term match alert query matched.
context.message
A preconstructed message for the rule. Example:
rule 'term match alert' is active:
- Value: 42
- Conditions Met: count greater than 4 over 5m
- Timestamp: 2020-01-01T00:00:00.000Z
context.group
The name of the action group associated with the condition. Example: query matched.
context.date
The date, in ISO format, that the rule met the condition. Example: 2020-01-01T00:00:00.000Z.
context.value
The value of the rule that met the condition.
context.conditions
A description of the condition. Example: count greater than 4.
context.hits
The most recent ES documents that matched the query. Using the Mustache template array syntax, you can iterate over these hits to get values from the ES documents into your actions.