Example
lscount returns a time bucketed count of matching documents in the LogStash index, according to the specified filter.
A trivial use of this would be to check how many documents in total have been received in the 5 minutes, and alert if it is below a certain threshold.
A Bosun alert for this might look like:
alert logstash.docs {
$notes = This alerts if there hasn't been any logstash documents in the past 5 minutes
template = logstash.docs
$count_by_minute = lscount("logstash", "", "", "5m", "5m", "")
$count_graph = lscount("logstash", "", "", "1m", "60m", "")
$q = avg($count_by_minute)
crit = $q < 1
critNotification = default
}
template logstash.docs {
body = `{{template "header" .}}
{{.Graph .Alert.Vars.count_graph }}
{{template "def" .}}
{{template "computation" .}}`
subject = {{.Last.Status}}: Logstash docs per second: {{.Eval .Alert.Vars.q | printf "%.2f"}} in the past 5 minutes
}
This has two instances of lscount:
- $count_by_minute = lscount("logstash", "", "", "5m", "5m", "")
- This counts the number of documents from the last 5 minutes, in a single 5 minute bucket. You will get one data point in the returned seriesSet with the total number of documents from the last 5 minutes, in the latest
logstashindex
- This counts the number of documents from the last 5 minutes, in a single 5 minute bucket. You will get one data point in the returned seriesSet with the total number of documents from the last 5 minutes, in the latest
- $count_graph = lscount("logstash", "", "", "1m", "60m", "")
- This counts the number of documents from the last hour, in 1 minute buckets. There will be a total of 60 data points in the seriesSet returned, which in this instance is used in a graph.
