You need to log in to create posts and topics.

Alerting when a server goes down

The query below is to be used to help alert a user whenever a server has gone done. It looks from the last 1 minute to present and also whenever a response code is anything other 200. It will keep alerting as long as the response code is not 200. You can copy and paste this into the Monitor when creating your alert.

{
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": "now-1m/m",
"to": "now/m",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"must_not": [
{
"match": {
"http.response.status_code": {
"query": "200",
"operator": "OR",
"prefix_length": 0,
"max_expansions": 50,
"fuzzy_transpositions": true,
"lenient": false,
"zero_terms_query": "NONE",
"auto_generate_synonyms_phrase_query": true,
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
}
}

 

You can also customize the alert message to display the information in detail. For example, the photo below shows that when an alert is sent it will display the URL of the downed server, IP address, status code, etc..

 

 

Here is the above message that you can use to copy and paste into your own message field.

Uptime-monitor just entered alert status. Please investigate the issue.
- URL: {{ctx.results.0.hits.hits.0._source.resolve.host}}
- IP: {{ctx.results.0.hits.hits.0._source.resolve.ip}}

- Response Code: {{ctx.results.0.hits.hits.0._source.http.response.status_code}}
- Status: {{ctx.results.0.hits.hits.0._source.monitor.status}}

- Severity: {{ctx.trigger.severity}}

- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}

 

Take note in the Message box how the appropriate nested fields have been pulled out. To help make it easier to find the data that you want to use, you can click on the "info" button next to Trigger condition and the side bar will display allowing you to reference the paths to the appropriate fields.