Smit Shah's Blog

Kibana Watcher - Write and Build Alerts

Smit Shah's photo
Smit Shah
·

2 min read

In this tutorial, we will be exploring a few simple ways in which we can write Watchers and send alerts via email. Although there are low of things you could do with watchers but in this tutorial, we will focus on two basic watchers.

  1. We will create an alert via email when there are no records in the last 5mins.
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": [
          "customer-activity-*"
        ],
        "body": {
          "query": {
            "range": {
              "@timestamp": {
                "gte": "now-5m",
                "lte": "now"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "eq": 0
      }
    }
  },
  "actions": {
    "email_alert": {
      "email": {
        "to": "smit@example.com",
        "subject": "No activity alert",
        "body": "There have been no records in the 'customer-activity-*' index pattern for the last 5 minutes."
      }
    }
  }
}

With this, you can easily create alerts in Kibana. Now let's understand the above. Since this is an alert, we have four main sections:

  • trigger: It is logic that states when should this watcher be triggered.

  • input: this is where you can query the index and gather data needed to further process.

  • condition: This will decide whether to trigger action or not to trigger.

  • action: It is what to do when the condition is met like in the above example we are sending an email.

Now, lets take a look at another example:

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": [
          "customer-activity-*"
        ],
        "body": {
          "query": {
            "range": {
              "@timestamp": {
                "gte": "now-24h/d",
                "lte": "now-24h/d+1d"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "return ctx.payload.hits.total > (1.1 * ctx.payload.previous_day.hits.total)"
    }
  },
  "actions": {
    "email_alert": {
      "email": {
        "to": "recipient@example.com",
        "subject": "Record count alert",
        "body": "The record count for the previous day was {{ctx.payload.previous_day.hits.total}} and the record count for the current day is {{ctx.payload.hits.total}}. The difference is greater than 10%."
      }
    }
  }
}

In this example, it triggers alert when the delta of the count is bigger than 10%.

These are just few examples of what Kibana (ELK) is capable off. In the upcoming tutorials we will be exploring other examples of Watchers, and many other features.

Feel free to share your thoughts and feedbacks on comments or on twitter at @smit_shah_95

Beginner Developerselasticsearchkibana