Elasticsearch:Cluster alerting based on X-Pack Watcher

Overview

X-Pack Watcher allows you to create watches. A watch consists of a trigger, an input, a condition, and actions.

• Trigger

  Determines when a watch starts to run, that is, the interval at which the operation specified in the related input is performed. X-Pack Watcher supports multiple types of triggers. For more information, see Schedule Trigger.

• Input

  Loads data into the execution context of a watch when the watch is triggered. This execution context is accessible during the subsequent execution phases of the watch. If no input is specified for a watch, an empty execution context is loaded. For more information, see Inputs.

  A watch supports the following types of inputs:

  • simple: loads static data into the execution context. For example, you can enter a piece of data for alerting.

  • search: loads the results of a search into the execution context. For example, the results of a full-text search that is performed based on a keyword are used for alerting.

  • http: loads the results of an HTTP request into the execution context. For example, the results of calling an Elasticsearch API operation that is used to query the health status and node status of an Elasticsearch cluster are used for alerting.

  • chain: loads a series of input data into the execution context. In most cases, the input data has different sources.

• Condition

  Controls whether a watch performs actions. If specific conditions are met, the watch performs actions. If no condition is specified for a watch, the always condition is used by default. For more information, see Conditions.

  A watch supports the following types of conditions:

  • always: Conditions are always met, and the watch always performs actions.

  • never: Conditions are never met, and the watch never performs actions.

  • compare: The values in the payload of the watch are compared to determine whether to perform actions.

  • array_compare: An array of values in the payload of the watch is compared with a specific value to determine whether to perform actions.

  • script: A script is used to determine whether to perform actions.

• Actions

  Determines the actions that a watch performs when specific conditions are met. A watch supports actions such as email, webhook, index, and logging. For more information, see Actions.

  Note

  Alibaba Cloud Elasticsearch does not support the email action because an endpoint limit is imposed on this type of action. We recommend that you use the webhook action.

Use scenarios

• If the logs index in your Elasticsearch cluster contains errors, X-Pack Watcher triggers the system to send alert notifications by email, DingTalk message, or WeCom message. For more information, see Configure a DingTalk chatbot to receive alert notifications from X-Pack Watcher and Configure a WeCom chatbot to receive alert notifications from X-Pack Watcher.

• You can use X-Pack Watcher to monitor metrics related to the cross-cluster replication (CCR) feature and report alerts for exceptions. For more information, see Use X-Pack Watcher to monitor CCR-related metrics and report alerts for exceptions.

Precautions

• By default, X-Pack Watcher is disabled for Elasticsearch clusters. You need to manually enable X-Pack Watcher. For more information, see Configure the YML file.

• In the original network architecture, X-Pack Watcher is available only for single-zone Elasticsearch clusters. For more information, see [Notice] Network architecture adjustment.

• In the new network architecture, if you want to use X-Pack Watcher, you must first use the PrivateLink service to establish private connections between virtual private clouds (VPCs). For more information, see Configure a private connection for an Elasticsearch cluster and [Notice] Network architecture adjustment.

• X-Pack Watcher cannot directly access the Internet and must use the internal endpoint of your Elasticsearch cluster to access the Internet.