Introduction


Skedler – Alerts is an Elasticsearch companion tool with user-friendly UI which helps in alerting on the occurrence of inconsistent data.


If you have real-time data that has been written on Elasticsearch with the matching conditions given in Skedler – Alerts then the user will be alerted through email or webhook.


Skedler-Alerts concepts



S.No
Name

Mandatory / Optional

Description

1.
Alert Name

Mandatory

A name for scheduling an Alert

2.
Index Pattern (or) Name

Mandatory

List the available index-pattern configured in index-pattern settings .

3.
Index Type

Optional

List the available types for the given enclosed Elasticsearch index

4.

Time Field

Mandatory

Timestamp field is used to search or query the Elasticsearch indices against particular time range.

5.
Alert Conditions

Mandatory

Query to check for events to be alerted. Query can be based on keyword search or compare condition or aggregate condition or any of the above combination

6.
Schedule

Mandatory

Time interval to run the given alert conditions and check for inconsistency. Schedule can be in Seconds, minutes or hourly, daily, weekly

7.
Alert Action - Alias
Mandatory

Webhook alias to which the notifications will be sent when an alert event occurs

8.
Alert Action - Webhook template
Mandatory
Default message template for normal and slack webhook
9.
Alert Action - Webhook Parameters

Optional

You can insert a set of dynamic field values in additional data or Messages by adding the placeholder parameters.
An example is you can select the parameter name Alert Name and add the parameter by clicking merge in the required place. The actual alert name will be inserted

10.
Alert Action - Webhook
Include Result

Optional

Particular fields occurred in event to send in notification

11.
Alert Action - Email To

Mandatory

emails ids (comma separated list) to which alert notifications are sent.

12.
Alert Action - Email CC

Optional

emails ids (comma separated list) to which alerts notifications are sent.

13.
Alert Action - Email Parameters

Optional

You can insert a set of dynamic field values in Subject and Messages by adding the placeholder parameters.
An example is you can select the parameter name Alert Name and add the parameter by clicking merge in the required place. The actual alert name will be inserted

14.
Alert Action - Email Subject

Mandatory

Subject for the email.

15.
Alert Action - Email Message

Mandatory

Notification message for alert conditions to be sent in email

16.
Alert Action - Email Include JSON

Optional

Events which caused the alert will be sent as a JSON attachment

17.
Alert Action - Email Select Fields

Optional
Particular fields occurred in event to send in notification
18.
Alert Action - Index Pattern

Mandatory

Events which caused the alert
will be sent to given Elasticsearch

19.
Alert Action - Index Pattern
Select Field for Notification
Optional
Particular fields occurred in events to be pushed in given Elasticsearch



Access Skedler-Alerts


After installation, Skedler-Alerts can be accessed from the following URL if the Skedler-Alerts is using the port 3001 http://<yourserver>:3001



Schedule Skedler-Alerts


1. Alerts can be scheduled by filling the appropriate values


  • Alert Details
    • Classification will allow identifying the importance of Alerts ie. Critical / Warning / information
    • Alert Name of your choice.
    • Fill the index name, Skedler-Alerts will provide the available indices from Elasticsearch.
    • Optionally, you can select the Index Type for the selected Elasticsearch index.
    • Select the Time Field for the index.
  • Alert Conditions
    • Keyword Filter - Alerts will search the entire index for the matching keyword. Keyword filter functionality looks more similar to Elasticsearch Query String Query pattern.

    • Aggregation Filter

      • Can perform aggregation operations like count, avg, min, max, sum based on the selection of field.

      • Select aggregation type, field, condition(like greater than, lesser than, equal to etc..) and value to apply the condition

    • Query Filter

      • Select field, query condition(Must be, Must not be, Should be), condition(like greater than, lesser than, equal to etc..) and value to apply the condition.

      • Can add n number of conditions by clicking add icon
    • Group By - Grouping the result in buckets based on nested aggregation.
    • Order - Sorting of events in bucket (Ascending or Descending)
    • Number of Documents - Number of bucket event counts to retrieve. For example - Input '5' will retrieve only 5 bucket values matching condition
    • Time window - To generate an alert for a specific time range. For example - last two hrs, last 5 days.
    • Compare to - Comparing the current time window to some other time window. For example - comparing the data for last 5 days to previous 5 days
    • Value (times) - Comparing 'x' times of data for the current time window to previous time window.
    • Operation - Comparing the data of current time window with condition (More than, Less than, More than equal to, Less than equal to) to the previous time window.
    • Relative Time Window(Last & to) - Compare the alert for the specific time range to the time window.


  • Schedule Details

Set up the schedule for the alert by selecting the Frequency type Seconds, Minutes, Hourly, Daily, Weekly and the interval for example if frequency type is seconds and frequency Time is 5, 

the alert condition is evaluated every 5 seconds. Set Start minutes at which the alert schedule will start to run for example if the minute is set to 00 and the current time is 16:30 hrs then schedule alert will start in 17:00 hrs. 

 



  • Alert Actions

The alert action is of three types.

  1. Send alerts to Email.
  2. Send alerts to a Webhook.
  3. Send alerts to Elasticsearch index

Multiple alert actions can be set for the single alert.


  • Email
    • You can also schedule your alert to be sent as email.
    • Fill the mandatory fields Subject, To, CC, Message for alert Email
    • Check "Include Json" and select fields to be send from event occurred as JSON attachment
    • Click on save button to save the alert.



  • Webhook
    • Select the Webhook ALIAS and template to be pushed to the webhook URL.
    • Selecting predefined template selection will provide messages to be send for normal webhook URL and slack webhook URL
    • Additional data - you can also send other additional data in the form of key/value pairs to the given webhook URL.
    • Include Result - you can send the selected event fields  to the given webhook URL.
    • Click a save button to save the alert.


  • Elasticsearch Index
    • Give the Index Pattern in which the events matching the condition will be pushed.
    • Select fields for notification - Allow the specific fields to push into Elasticsearch 
    • Advantage of pushing the events matching the condition has been explained in detail on use case as below, How to visualize alerts in Kibana


 



2. Once the alert is scheduled, you can see the scheduled alert details on the home page as follows,

 


3. To edit the scheduled alert. Click “Edit” icon.



4. To delete the scheduled alert, select the alert in the grid and click “Delete” button.



5. To clone the existing alert. Click “Clone” icon and change the alert name and click “clone” button


   


 


6. To snooze a scheduled alert. Click “snooze” icon and select the time interval for the alert to be snoozed. When you snooze a scheduled alert, Alert will be running but the notifications will no longer be sent 

    via webhook/email until resumed.





7. To resume a snoozed alert, click “Un-snooze” icon



8. Please refer the below article on How to set up alerts for different use cases