sentinl的监控&告警实例

说明：定制XX业务每12小时出错日志报警，邮件通知给相关业务负责人。

{
  "actions": {
    "email_html_alarm_5b59dde3-b16a-4240-aed6-aca0d1": {
      "name": "email html alarm",
      "throttle_period": "1m",
      "email_html": {
        "to": "[email protected],[email protected]",
        "from": "[email protected]",
        "stateless": false,
        "subject": "XX业务服务生产环境日志告警",
        "priority": "high",
        "html": "
各位好,
\n
本次日志扫描最近12小时内发现{{payload.hits.total}}条Error信息，请登录kibana查询具体错误信息。 http://192.168.1.110:8449/app/kibana#/discover/searchId
\n
\n  
\n  
本次日志扫描采用以下策略:
\n  
{{watcher.condition.script.script}}
\n
"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "index": [
          "prod*"
        ],
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "message:*Error AND ( path:*Eportal* OR path: *EData*)",
                    "use_dis_max": true
                  }
                }
              ],
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-720m",
                      "lt": "now"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "script": "payload.hits.total > 5"
    }
  },
  "transform": {},
  "trigger": {
    "schedule": {
      "later": "every 60 minutes"
    }
  },
  "disable": false,
  "report": false,
  "title": "XX业务服务日志告警-Error",
  "save_payload": false,
  "spy": false,
  "impersonate": false
}

---

参考Kibana 用户手册

官方文档 https://sentinl.readthedocs.io/en/latest/Watcher-Anatomy/#input-query

ELK的sentinl告警配置详解

Elasticsearch(查询详解) https://my.oschina.net/wsyblog/blog/702841