ElastAlert规则中的聚合值

Question

我需要编写一个聚合事件值的ElastAlert规则。“value”是ES文档中的一个字段。例如，我需要所有值的总和，或平均值。

我是Python新手，所以我想知道是否在任何地方都有这样的规则的例子。

Answer 1

例如，如果希望在文档间聚合的特定值达到阈值时触发警报，则可以实现自己的规则。

首先，在__ init__.py文件旁边创建一个名为__的文件，如文档所述。

然后在my_rules.py中可以编写以下内容：

from elastalert.ruletypes import RuleType

class CountValuesRule(RuleType):

    tracked_values = ['value1', 'value2', 'value3']
    counts = {key: 0 for key in tracked_values}

    # From elastalert docs:
    #     add_data will be called each time Elasticsearch is queried.
    #     data is a list of documents from Elasticsearch, sorted by timestamp,
    #     including all the fields that the config specifies with "include"
    def add_data(self, data):

        def should_trigger(document):
            # here decide if value in counts should trigger alert, for example:
            if self.counts['value1'] > 1000
                return True
            return False

        for document in data:
            # Increment tracked values
            for value in self.tracked_values:
                self.counts[value] += document.get(value, 0)

            if should_trigger(document):
                self.add_match(document)
                # Stop checking other values
                break

    # The results of get_match_str will appear in the alert text
    def get_match_str(self, match):
        return "A value has reached specified threshold. Values: %s" % (str(self.counts))

    # From elastalert docs:
    # garbage_collect is called indicating that ElastAlert has already been run up to timestamp
    # It is useful for knowing that there were no query results from Elasticsearch because
    # add_data will not be called with an empty list
    def garbage_collect(self, timestamp):
        pass

最后，将此自定义规则包含在您正在配置的规则中，如下所示：

name: Your rule name
es_host: Your host
es_port: Your port
type: "elastalert_modules.my_rules.CountValuesRule"