forked from sentinl/sentinl
-
Notifications
You must be signed in to change notification settings - Fork 0
KAAE Random Examples
Lorenzo Mangani edited this page Sep 10, 2016
·
1 revision
In this example we'll configure a Kaae (or Elastic) Watcher to stream statuses to an extermal Nagios NRDP endpoint.
Let's run an aggregation query in Sense to find low MOS groups in the last 5 minutes interval:
GET _search
{
"query": {
"filtered": {
"query": {
"query_string": {
"query": "_type:metrics_calls_total_mos AND tab:mos",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lte": "now"
}
}
},
{
"range" : {
"value" : {
"lte" : 3
}
}
}
],
"must_not": []
}
}
}
},
"size": 0,
"aggs": {
"mos": {
"date_histogram": {
"field": "@timestamp",
"interval": "30s",
"time_zone": "Europe/Berlin",
"min_doc_count": 1
},
"aggs": {
"by_group": {
"terms": {
"field": "group.raw",
"size": 5,
"order": {
"_term": "desc"
}
},
"aggs": {
"avg": {
"avg": {
"field": "value"
}
}
}
}
}
}
}
}The response should look similar to this example - let's analyze the data structure:
{
"took": 5202,
"timed_out": false,
"_shards": {
"total": 104,
"successful": 104,
"failed": 0
},
"hits": {
"total": 3,
"max_score": 0,
"hits": []
},
"aggregations": {
"mos": {
"buckets": [
{
"key_as_string": "2016-08-02T13:41:00.000+02:00",
"key": 1470138060000,
"doc_count": 2,
"by_group": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "domain1.com",
"doc_count": 2,
"avg": {
"value": 1.85
}
}
]
}
},
{
"key_as_string": "2016-08-02T13:42:00.000+02:00",
"key": 1470138120000,
"doc_count": 1,
"by_group": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "domain2.com",
"doc_count": 1,
"avg": {
"value": 2.81
}
}
]
}
}
]
}
}
}Next let's use Sense to create a custom Watcher based on the query and its response, using mustache syntax to loop trough the aggregation buckets and extracting grouped results in an XML structure accepted by Nagios:
PUT _watcher/watch/low_mos
{
"metadata": {
"mos threshold": 3
},
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"indices": [
"<pcapture_*-{now/d}>"
],
"body": {
"size": 0,
"query": {
"filtered": {
"query": {
"query_string": {
"query": "_type:metrics_calls_total_mos AND tab:mos",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lte": "now"
}
}
},
{
"range": {
"value": {
"lte": 3
}
}
}
],
"must_not": []
}
}
}
},
"aggs": {
"mos": {
"date_histogram": {
"field": "@timestamp",
"interval": "30s",
"time_zone": "Europe/Berlin",
"min_doc_count": 1
},
"aggs": {
"by_group": {
"terms": {
"field": "group.raw",
"size": 5,
"order": {
"_term": "desc"
}
},
"aggs": {
"avg": {
"avg": {
"field": "value"
}
}
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions" : {
"my_webhook" : {
"throttle_period" : "5m",
"webhook" : {
"method" : "POST",
"host" : "nagios.domain.ext",
"port" : 80,
"path": ":/nrdp",
"body" : "token=TOKEN&cmd=submitcheck&XMLDATA=<?xml version='1.0'?><checkresults>{{#ctx.payload.aggregations.mos.buckets}} <checkresult type='host' checktype='1'>{{#by_group.buckets}}<hostname>{{key}}</hostname><servicename>MOS</servicename><state>0</state><output>MOS is {{avg.value}}</output> {{/by_group.buckets}}</checkresult>{{/ctx.payload.aggregations.mos.buckets}}</checkresults></xml>"
}
}
}
}<?xml version='1.0'?>
<checkresults>
<checkresult type='host' checktype='1'>
<hostname>domain1.com</hostname><servicename>MOS</servicename><state>0</state><output>MOS is 1.85</output> </checkresult>
<checkresult type='host' checktype='1'>
<hostname>domain2.com</hostname><servicename>MOS</servicename><state>0</state><output>MOS is 2.81</output> </checkresult>
</checkresults>
</xml>A simple playground simulating the above response and output is available here: http://jsfiddle.net/Lyfoq6yw/
The above watcher is 100% compatible with Elasticsearch Watcher ;)