lqb
/
elasticsearch
cermin dari https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229
							[role="xpack"]
[[watching-time-series-data]]
=== Watching time series data

If you are indexing time series data such as logs, RSS feeds, or network traffic,
you can use {watcher} to send notifications when certain events occur.

For example, you could index an RSS feed of posts on Stack Overflow that are
tagged with Elasticsearch, Logstash, Beats, or Kibana, set up a watch to check
daily for new posts about a problem or failure, and send an email if any are
found.

The simplest way to index an RSS feed is to use https://www.elastic.co/products/logstash[Logstash].

To install Logstash and set up the RSS input plugin:

. https://www.elastic.co/downloads/logstash[Download Logstash] and unpack the
  archive file.
. Go to the `logstash-{version}` directory and install the
  {logstash-ref}/plugins-inputs-rss.html[RSS input] plugin:
+
[source,sh]
----------------------------------------------------------
cd logstash-<logstash_version>
bin/logstash-plugin install logstash-input-rss
----------------------------------------------------------

. Create a Logstash configuration file that uses the RSS input plugin to get
  data from an RSS/atom feed and outputs the data to Elasticsearch. For example,
  the following `rss.conf` file gets events from the Stack Overflow feed that
  are tagged with `elasticsearch`, `logstash`, `beats` or `kibana`.
+
[source,ruby]
----------------------------------------------------------
input {
  rss {
    url => "http://stackoverflow.com/feeds/tag/elasticsearch+or+logstash+or+beats+or+kibana"
    interval => 3600 <1>
  }
}

output {
  elasticsearch { }
  stdout { }
}
----------------------------------------------------------
<1> Checks the feed every hour.
+
For more information see {logstash-ref}/plugins-outputs-elasticsearch.html[Elasticsearch output]
in the Logstash Reference.

. Run Logstash with the `rss.conf` config file to start indexing the feed:
+
[source,she]
----------------------------------------------------------
bin/logstash -f rss.conf
----------------------------------------------------------

Once you have Logstash set up to input data from the RSS feed into Elasticsearch,
you can set up a daily watch that runs at noon to check for new posts that
contain the words "error" or "problem".

To set up the watch:

. Define the watch trigger--a daily schedule that runs at 12:00 UTC:
+
[source,js]
--------------------------------------------------
"trigger" : {
  "schedule" : {
    "daily" : { "at" : "12:00" }
  }
}
--------------------------------------------------
+
NOTE: In {watcher}, you specify times in UTC time. Don't forget to do the
      conversion from your local time so the schedule triggers at the time
      you intend.

. Define the watch input--a search that uses a filter to constrain the results
  to the past day.
+
[source,js]
--------------------------------------------------
"input" : {
  "search" : {
    "request" : {
      "indices" : [ "logstash*" ],
      "body" : {
        "query" : {
          "bool" : {
            "must" : { "match" : { "message": "error problem" }},
            "filter" : { "range" : { "@timestamp" : { "gte" : "now-1d" }}}
          }
        }
      }
    }
  }
}
--------------------------------------------------

. Define a watch condition to check the payload to see if the input search
  returned any hits. If it did, the condition resolves to `true` and the watch
  actions will be executed.
+
You define the condition with the following script:
+
[source,text]
--------------------------------------------------
return ctx.payload.hits.total.value > threshold
--------------------------------------------------
+
If you store the script in a file at `$ES_HOME/config/scripts/threshold_hits.painless`,
you can then reference it by name in the watch condition.
+
[source,js]
--------------------------------------------------
"condition" : {
  "script" : {
    "id" : "threshold_hits",
    "params" : {
      "threshold" : 0 <1>
    }
  }
}
--------------------------------------------------
<1> The threshold parameter value you want to pass to the script.
+
. Define a watch action to send an email that contains the relevant messages
  from the past day as an attachment.
+
[source,js]
--------------------------------------------------
"actions" : {
  "send_email" : {
    "email" : {
      "to" : "username@example.org",
      "subject" : "Somebody needs help with the Elastic Stack",
      "body" : "The attached Stack Overflow posts were tagged with Elasticsearch, Logstash, Beats or Kibana and mentioned an error or problem.",
      "attachments" : {
        "attached_data" : {
          "data" : {
            "format" : "json"
          }
        }
      }
    }
  }
}
--------------------------------------------------
+
NOTE: To use the email action, you must configure at least one email account in
`elasticsearch.yml`. If you configure multiple email accounts, you need to
specify which one you want to send the email with. For more information, see
<<configuring-email>>.

The complete watch looks like this:

[source,console]
--------------------------------------------------
PUT _watcher/watch/rss_watch
{
  "trigger" : {
      "schedule" : {
        "daily" : { "at" : "12:00" }
    }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash*" ],
        "body" : {
          "query" : {
            "bool" : {
              "must" : { "match" : { "message": "error problem" }},
              "filter" : { "range" : { "@timestamp" : { "gte" : "now-1d" }}}
            }
          }
        }
      }
    }
  },
  "condition" : {
    "script" : {
      "id" : "threshold_hits",
      "params" : {
        "threshold" : 0
      }
    }
  },
  "actions" : {
    "send_email" : {
      "email" : {
        "to" : "username@example.org",  <1>
        "subject" : "Somebody needs help with the Elastic Stack",
        "body" : "The attached Stack Overflow posts were tagged with Elasticsearch, Logstash, Beats or Kibana and mentioned an error or problem.",
        "attachments" : {
          "attached_data" : {
            "data" : {}
          }
        }
      }
    }
  }
}
--------------------------------------------------
// TEST[s/"id" : "threshold_hits"/"source": "return ctx.payload.hits.total.value > params.threshold"/]

<1> Replace `username@example.org` with your email address to receive
    notifications.

[TIP]
=================================================
To execute a watch immediately (without waiting for the schedule to trigger),
use the {ref}/watcher-api-execute-watch.html[`_execute` API]:

[source,console]
--------------------------------------------------
POST _watcher/watch/rss_watch/_execute
{
  "ignore_condition" : true,
  "action_modes" : {
    "_all" : "force_execute"
  },
  "record_execution" : true
}
--------------------------------------------------
// TEST[continued]
=================================================