Elasticsearch notifications

Question

Is it possible what Elasticsearch will notify if an object was added and it corresponds to some criteria?

For example if it has category_id=4 and it has in title or in description word "iphone" Elasticsearch should notify.

version: 5.1.1

Answer 1

You can use ElastAlert by Yelp to send alerts. This is a free application, and is easy to set up.

Once installed, create a Blacklist rule; it "... will check a certain field against a blacklist, and match if it is in the blacklist."

Your Blacklist rule might look like this:

es_host: localhost
es_port: 9200

name: category_id_is_4-Blacklist

type: blacklist

index: logstash-*

compare_key: category_id

blacklist:
- "4"

realert:
  hours: 4

filter:
- query_string:
    query: "title:*iphone* OR description:*iphone*"

alert:
- "jira"
- "slack"

slack_webhook_url: https://hooks.slack.com/services/XYZ/XYZ/XYZ

jira_server: https://XYZ.atlassian.net
jira_project: XYZ
jira_issuetype: Task
jira_account_file: /home/user/elastalert/rules/jira_acct.txt

You would then receive a notification to Slack and Jira. You can also set up ElastAlert for other alerts, you are not limited to Slack and Jira.

Answer 2

You can use the Watcher of the x-pack. I would set it up with a query that filters "unacknowledged documents" with the rest of the query, (category:4 "iPhone" etc) and the action would update that document to be "acknowledged" after the notification is handled and no longer relevant to the query.

https://www.elastic.co/guide/en/x-pack/current/how-watcher-works.html