forked from elastic/integrations
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathelastic-agent-output-errors.json
More file actions
34 lines (34 loc) · 1.33 KB
/
elastic-agent-output-errors.json
File metadata and controls
34 lines (34 loc) · 1.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
"id": "elastic-agent-output-errors",
"type": "alerting_rule_template",
"attributes": {
"name": "[Elastic Agent] Output errors",
"tags": ["Elastic Agent", "Pipeline and Queues"],
"ruleTypeId": ".es-query",
"schedule": {
"interval": "1m"
},
"params": {
"searchType": "esqlQuery",
"timeWindowSize": 3,
"timeWindowUnit": "m",
"threshold": [0],
"thresholdComparator": ">",
"size": 100,
"esqlQuery": {
"esql": "FROM metrics-elastic_agent.*beat-default*, *:metrics-elastic_agent.*beat-default*\n| WHERE data_stream.dataset LIKE \"elastic_agent.*beat\" AND agent.name NOT LIKE \"*agentless*\"\n| STATS \n max_errors = MAX(TO_LONG(beat.stats.libbeat.output.write.errors)),\n min_errors = MIN(TO_LONG(beat.stats.libbeat.output.write.errors)) \n BY time_bucket = DATE_TRUNC(1 minute, @timestamp), elastic_agent.id, component.id\n| EVAL errors_count = max_errors - min_errors \n| WHERE errors_count > 5 \n| STATS MAX(errors_count) BY elastic_agent.id, component.id"
},
"aggType": "count",
"groupBy": "row",
"termSize": 5,
"sourceFields": [],
"timeField": "@timestamp",
"excludeHitsFromPreviousRun": true
},
"alertDelay": {
"active": 1
}
},
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0"
}