This repository was archived by the owner on Jan 10, 2025. It is now read-only.
File tree 3 files changed +140
-0
lines changed
Alerting/Sample Watches/large_shard_watch
3 files changed +140
-0
lines changed Original file line number Diff line number Diff line change 1+ # Monitoring for Large Shards
2+
3+ ## Description
4+
5+ This is a watch that creates a helper index (large_shards), and it uses it to alert one time (per shard) based off the size of the shards defined in the metadata.
6+
7+ It queries the cat/shards api call to get the information first, and then ingests it into large-shards
8+
9+
10+ # Configuration
11+
12+ * Metadata is where the threshold_in_bytes is set.
Original file line number Diff line number Diff line change 1+ {
2+ "trigger" : {
3+ "schedule" : {
4+ "interval" : " 1h"
5+ }
6+ },
7+ "input" : {
8+ "chain" : {
9+ "inputs" : [
10+ {
11+ "first" : {
12+ "http" : {
13+ "request" : {
14+ "scheme" : " https"
15+ "host" : " localhost"
16+ "port" : 9243 ,
17+ "method" : " get"
18+ "path" : " /_cat/shards"
19+ "params" : {
20+ "format" : " json"
21+ "bytes" : " b"
22+ },
23+ "headers" : {},
24+ "auth" : {
25+ "basic" : {
26+ "username" : " elastic"
27+ "password" : " changeme"
28+ }
29+ }
30+ }
31+ }
32+ }
33+ },
34+ {
35+ "second" : {
36+ "search" : {
37+ "request" : {
38+ "indices" : [
39+ " large*"
40+ ],
41+ "types" : [
42+ " _doc"
43+ ],
44+ "body" : {
45+ "size" : 400 ,
46+ "query" : {
47+ "match_all" : {}
48+ }
49+ }
50+ }
51+ }
52+ }
53+ }
54+ ]
55+ }
56+ },
57+ "condition" : {
58+ "always" : {}
59+ },
60+ "transform" : {
61+ "script" : {
62+ "source" : " " "
63+ HashMap final = new HashMap();
64+ def docs = [];
65+ if (ctx.payload.second.hits.total > 0) {
66+ ctx.payload.second.hits.hits.stream()
67+ .forEach(e -> {
68+ final.put(e._source.indexName+"-"+e._source.shardNumber, e._source.shardSizeInBytes);
69+ });
70+ }
71+ List result = ctx.payload.first.data.stream()
72+ .forEach(s -> {
73+ def size = s.store == null ? 0 : Long.parseLong(s.store);
74+ if(size > ctx.metadata.threshold_in_bytes && !final.containsKey(s.index+"-"+ s.shard)) {
75+ docs.add([
76+ '_id' : s.index+ "-"+ s.shard,
77+ 'shardSizeInBytes': size,
78+ 'indexName': s.index,
79+ 'shardNumber': s.shard,
80+ 'node': s.node
81+ ]);
82+ }
83+ return true;
84+ });
85+ return ['_doc' : docs];
86+ " " ",
87+ "lang" : " painless"
88+ }
89+ },
90+ "actions" : {
91+ "index_payload" : {
92+ "condition" : {
93+ "script" : {
94+ "source" : " return ctx.payload._doc.size() > 0"
95+ "lang" : " painless"
96+ }
97+ },
98+ "index" : {
99+ "index" : " large-shards"
100+ "doc_type" : " _doc"
101+ }
102+ },
103+ "logging" : {
104+ "condition" : {
105+ "script" : {
106+ "source" : " return ctx.payload._doc.size() > 0"
107+ "lang" : " painless"
108+ }
109+ },
110+ "logging" : {
111+ "level" : " info"
112+ "text" : " " "
113+ The following shards are bigger than {{ctx.metadata.threshold_in_bytes }} bytes:
114+ {{#ctx.payload._doc }}
115+ Node [{{node }}] Shard #{{shardNumber}} Index [{{indexName}}] Size [{{shardSizeInBytes}}]
116+ {{/ctx.payload._doc }}
117+ " " "
118+ }
119+ }
120+ },
121+ "metadata" : {
122+ "threshold_in_bytes" : 3221225400 ,
123+ "xpack" : {
124+ "type" : " json"
125+ }
126+ }
127+ }
Original file line number Diff line number Diff line change @@ -67,6 +67,7 @@ X-Pack lets you set up watches (or rules) to detect and alert on changes in your
6767- [ Trending hashtag on twitter] ( https://github.com/elastic/examples/tree/master/Alerting/Sample%20Watches/twitter_trends )
6868- [ Unexpected account activity] ( https://github.com/elastic/examples/tree/master/Alerting/Sample%20Watches/unexpected_account_activity )
6969- [ Watch history dashboard] ( https://github.com/elastic/examples/tree/master/Alerting/watcher_dashboard )
70+ - [ Alert on Large Shards] ( https://github.com/elastic/examples/tree/master/Alerting/Sample%20Watches/large_shard_watch )
7071
7172#### Machine learning
7273
You can’t perform that action at this time.
0 commit comments