Hi Team,
I want to send the alerts if in my infrastructure any device’s cpu pct is greater than 80%.
I have written the below query.
{
“size”: 0,
“query”: {
“bool”: {
“filter”: {
“range”: {
“@timestamp”: {
“gte”: “now-3m”,
“lte”: “now”
}
}
}
}
},
“aggs”: {
“per_host”: {
“terms”: {
“field”: “agent.hostname.keyword”,
“size”: “100”
},
“aggs”: {
“cpu_per_day”: {
“auto_date_histogram”: {
“field”: “@timestamp”
},
“aggs”: {
“cpu”: {
“avg”: {
“field”: “system.load.1”
}
},
“brand_bucket_filter”: {
“bucket_selector”: {
“buckets_path”: {
“avgcpu”: “cpu”
},
“script”: “Math.round(params.avgcpu) > 0.8”
}
}
}
}
}
}
}
}
However, i have seen an example of change_in_memory and i am unable to understnad the working of normalization in this.
Can someone support?
{
“trigger”: {
“schedule”: {
“weekly”: [
{
“on”: [
“sat”
],
“at”: “12:00”
}
]
}
},
“checks”: [
{
“type”: “static”,
“name”: “constants”,
“target”: “constants”,
“value”: {
“num_of_hosts”: 100,
“interval”: “day”,
“mem_threshold”: 0,
“window”: “1M”
}
},
{
“type”: “search”,
“name”: “change_in_memory”,
“target”: “change_in_memory”,
“request”: {
“indices”: [
“kibana_sample_data_logs”
],
“body”: {
“size”: 0,
“query”: {
“bool”: {
“filter”: {
“range”: {
“timestamp”: {
“gte”: “now-{{constants.window}}”,
“lte”: “now”
}
}
}
}
},
“aggs”: {
“per_host”: {
“terms”: {
“field”: “host.keyword”,
“size”: “{{data.constants.num_of_hosts}}”
},
“aggs”: {
“memory_per_day”: {
“date_histogram”: {
“field”: “timestamp”,
“fixed_interval”: “{{data.constants.interval}}”
},
“aggs”: {
“memory”: {
“sum”: {
“field”: “memory”
}
},
“memory_deriv”: {
“derivative”: {
“buckets_path”: “memory”
}
}
}
}
}
}
}
}
}
},
{
“type”: “condition”,
“name”: “mycondition”,
“source”: " def hosts=data.change_in_memory.aggregations.per_host.buckets;\n if(hosts.size()==0) return false;\n return hosts.stream().anyMatch(h->{\n def mem_deriv=h.memory_per_day.buckets[h.memory_per_day.buckets.length-1].memory_deriv.value;\n return mem_deriv<data.constants.mem_threshold;\n });"
},
{
“name”: “data_normalization”,
“type”: “transform”,
“source”: " def hosts=data.change_in_memory.aggregations.per_host.buckets;\n return hosts.stream().filter(h->{\n def mem_per_day=h.memory_per_day.buckets;\n def mem_deriv=mem_per_day[mem_per_day.length-1].memory_deriv.value;\n return mem_deriv<data.constants.mem_threshold;\n }).map(h->{\n def mem_per_day=h.memory_per_day.buckets;\n def mem_deriv=mem_per_day[mem_per_day.length-1].memory_deriv.value;\n return[‘host’: h.key, ‘mem_deriv’: mem_deriv];\n }).collect(Collectors.toList());"
}
],
“actions”: [
{
“type”: “webhook”,
“name”: “myslack”,
“throttle_period”: “1s”,
“request”: {
“method”: “POST”,
“url”: “Unlock your productivity potential with Slack Platform | Slack”,
“body”: “{"text": "\nHosts with memory change less then 0 MB over last 1 month:\n{{#data._value}}\n {{host}}: {{mem_deriv}}\n{{/data._value}}\n"}”,
“headers”: {
“Content-type”: “application/json”
}
}
}
],
“active”: true,
“log_runtime_data”: false,
“_id”: “change_in_memory”
}
//Ankita