elasticsearch - ElastAlert 规则中的聚合值

Question

我需要编写一个 ElastAlert 规则来聚合事件的值。 “value”是 ES 文档中的字段之一。 例如，我需要所有值的总和或平均值。

我是 Python 新手，所以想知道是否有此类规则的示例。

Answer 1

例如，如果您希望在文档之间聚合的特定值达到阈值时触发警报，您​​可以实现自己的规则来执行此操作。

首先在 __ init__.py 文件旁边创建一个名为 elastalert_modules/my_rules.py 的文件，如文档所述。

然后在my_rules.py中你可以编写以下内容:

from elastalert.ruletypes import RuleType

class CountValuesRule(RuleType):

    tracked_values = ['value1', 'value2', 'value3']
    counts = {key: 0 for key in tracked_values}

    # From elastalert docs:
    #     add_data will be called each time Elasticsearch is queried.
    #     data is a list of documents from Elasticsearch, sorted by timestamp,
    #     including all the fields that the config specifies with "include"
    def add_data(self, data):

        def should_trigger(document):
            # here decide if value in counts should trigger alert, for example:
            if self.counts['value1'] > 1000
                return True
            return False

        for document in data:
            # Increment tracked values
            for value in self.tracked_values:
                self.counts[value] += document.get(value, 0)

            if should_trigger(document):
                self.add_match(document)
                # Stop checking other values
                break

    # The results of get_match_str will appear in the alert text
    def get_match_str(self, match):
        return "A value has reached specified threshold. Values: %s" % (str(self.counts))

    # From elastalert docs:
    # garbage_collect is called indicating that ElastAlert has already been run up to timestamp
    # It is useful for knowing that there were no query results from Elasticsearch because
    # add_data will not be called with an empty list
    def garbage_collect(self, timestamp):
        pass

最后将此自定义规则包含在您正在配置的规则中，如下所示:

name: Your rule name
es_host: Your host
es_port: Your port
type: "elastalert_modules.my_rules.CountValuesRule"