ElastAlert == [官方文件](https://readthedocs.org/projects/elastalert/downloads/pdf/stable/) * Alert type Any type - Match on any event matching a given filter Frequency type - Match where there are X events in Y time Spike type - Match when the rate of events increases or decreases Flatline type - Match when there are less than X events in Y time Blacklist type - Match when a certain field matches a blacklist Whitelist type - Match when a certain field matches a whitelist Change type - Match when a field has two different values within some time * **Any**：只要符合條件一次即告警 ``` # duration_time 只要超過 1 秒就告警 name: example_any type: any index: up0125_ai_* filter: - range: duration_time: from: 1 alert_subject: "ElastAlert-Any" alert: - "email" email: - "elastalert@example.com" ``` * **Frequency**：一定時間內 events 達幾次即告警 ([官方範例](https://github.com/Yelp/elastalert/blob/master/example_rules/example_frequency.yaml)) ``` # 一分鐘內 events 出現 1 次即告警 name: example_frequency type: frequency index: up0125_ai_* num_events: 1 timeframe: minutes: 1 filter: [] alert_subject: "ElastAlert-Frequency" alert: - "email" email: - "elastalert@example.com" ``` * **Spike**：一定時間內 events 以下兩種情況都滿足才會告警 ([官方範例](https://github.com/Yelp/elastalert/blob/master/example_rules/example_spike.yaml)) 【情況1】最近一定時間內 events 達幾次 【情況2】最近一定時間內的 events 數量比上一個 time window 多幾倍 ``` # 最近一分鐘的 events 達 3 次且 events 數是上一分鐘的 2 倍，則告警 name: example_spike type: spike index: up0125_ai_* threshold_cur: 3 timeframe: minutes: 1 spike_height: 2 spike_type: "up" filter: [] alert_subject: "ElastAlert-Spike" alert: - "email" email: - "elastalert@example.com" ```