KibanaAlerts的Action欄位說明

#kibana #Alert

來源:200-Areas/210-工程師修煉/ELK/Kibana_Alert設定

Actions 內容設定

Elasticsearch query | Kibana Guide [7.13] | Elastic

路徑: Stack Management -> Alerts And Insights --> Rules and Insights

範例

200-Areas/210-工程師修煉/ELK/resource/KibanaAlerts的Action欄位說明.png

200-Areas/210-工程師修煉/ELK/resource/KibanaAlerts的Action欄位說明-1.png

//  原始樣貌
{
	"type":"log",
	"@timestamp":"2023-06-02T10:18:35+00:00",
	"tags":["fatal","plugins","actions","actions"],
	"pid":1504523,
	"message":"Server log: 【alert 'TEST' matched query】:9 > 4, 45 s。{;  \"query\":{;    \"match_all\" : {};  };}"
}

// 設定內容
【】: 實際值   臨界值  在   內。查詢條件 = 

// message的內容

【Apple-check】 Server log: 【alert 'TEST' matched query】: 實際值 24 > 臨界值 4 在 45 s 內。查詢條件 = {;  "query":{;    "match_all" : {};  };}


alert.actionGroup:query matched;
alert.actionGroupName:Query matched;
alert.actionSubgroup:;
alert.id:query matched;

context.conditions:Number of matching documents is greater than 5
context.date:2023-06-02T08:33:16.735Z
context.hits: # 看起來ESQuery的完整結果
context.message:alert 'TEST' is active:;;- Value: 6;- Conditions Met: Number of matching documents is greater than 5 over 5m;
context.title:alert 'TEST' matched query;
context.value:6;

kibanaBaseUrl:;

params.esQuery:{;  "query":{;    "match_all" : {};  };};
params.index:logstash-iis-cpgorder-202*;
params.size:200;
params.threshold:5;
params.thresholdComparator:>;
params.timeWindowUnit:m;
params.timeWindowSize:200

rule.id:97bacdc0-feae-11ed-a92c-b396f271d0f7;
rule.name:TEST;
rule.spaceId:default;
rule.tags:;
rule.type:.es-query

Action Variables 欄位說明

context.title

A preconstructed title for the rule. Example: rule term match alert query matched.

context.message

A preconstructed message for the rule. Example:
rule 'term match alert' is active:
- Value: 42
- Conditions Met: count greater than 4 over 5m
- Timestamp: 2020-01-01T00:00:00.000Z

context.group

The name of the action group associated with the condition. Example: query matched.

context.date

The date, in ISO format, that the rule met the condition. Example: 2020-01-01T00:00:00.000Z.

context.value

The value of the rule that met the condition.

context.conditions

A description of the condition. Example: count greater than 4.

context.hits

The most recent ES documents that matched the query. Using the Mustache template array syntax, you can iterate over these hits to get values from the ES documents into your actions.

context.title

A preconstructed title for the rule. Example: rule term match alert query matched.

context.message

A preconstructed message for the rule. Example:
rule 'term match alert' is active:
- Value: 42
- Conditions Met: count greater than 4 over 5m
- Timestamp: 2020-01-01T00:00:00.000Z

context.group

The name of the action group associated with the condition. Example: query matched.

context.date

The date, in ISO format, that the rule met the condition. Example: 2020-01-01T00:00:00.000Z.

context.value

The value of the rule that met the condition.

context.conditions

A description of the condition. Example: count greater than 4.

context.hits

The most recent ES documents that matched the query. Using the Mustache template array syntax, you can iterate over these hits to get values from the ES documents into your actions.