3

I have an Alert setup on Kibana (v7.1.1) for sending an alert whenever an OutOfMemory log is encountered. The trigger is setup with severity 2 to send alert to a list of email with Throttle actions to only trigger every 5mins. This alert creates a trigger after 10 mins from the creation time and keeps sending alert until I click Acknowledge it. Once I click Acknowledge the trigger is not generated ever again even though OOM logs are being generated.

I want this to send alert whenever a new OOM log is encountered and stop for next 5 mins (by enabling throttling) if OOM logs still keep generating. Following are the monitor details:

Monitor Name: OOM Alert

Schedule: By interval every 5mins

Define Monitor: Define using extraction query

{
    "query": {
        "bool": {
            "must": [
                {
                    "range": {
                        "@timestamp": {
                            "from": "{{period_end}}||-1d",
                            "to": "{{period_end}}",
                            "include_lower": true,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                }
            ],
            "should": [
                {
                    "wildcard": {
                        "log": {
                            "wildcard": "*outofmemory*",
                            "rewrite": "constant_score",
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    }
}
bot
  • 1,293
  • 3
  • 17
  • 34

1 Answers1

0

can you try to change the date filter to this: 

   "range": {
              "@timestamp": {
                "gte": "now-16h",
                "lt": "now"}}
Alex Stanovsky
  • 1,286
  • 1
  • 13
  • 28