1、在elastalert_modules目录下增加dzqz.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 | #! /usr/bin/env python # -*- coding: utf-8 -*- """ """ import json import requests import re from elastalert.alerts import Alerter, DateTimeEncoder from requests.exceptions import RequestException from elastalert.util import EAException class DingTalkAlerter(Alerter): required_options = frozenset(['dingtalk_webhook', 'dingtalk_msgtype']) def __init__(self, rule): super(DingTalkAlerter, self).__init__(rule) self.dingtalk_webhook_url = self.rule['dingtalk_webhook'] self.dingtalk_msgtype = self.rule.get('dingtalk_msgtype', 'text') self.dingtalk_isAtAll = self.rule.get('dingtalk_isAtAll', False) self.digtalk_title = self.rule.get('dingtalk_title', '') def format_body(self, body): return body.encode('utf8') def alert(self, matches): headers = { "Content-Type": "application/json", "Accept": "application/json;charset=utf-8" } body = self.create_alert_body(matches) #增加备注(在ES中没有相应的备注字段时使用) api=[ ["H5手机登录","/hello/abc","部分情形影响出示","H5手机短信用户无法登录","YY系统","S2","-"], ["H5密码登录","/hell0/ced","部分情形影响出示","H5账密用户无法登录","XX系统","S2","-"] ] for i in range(len(api)): res=api[i][1] if re.search(res,body): body="> 接口名称: " + api[i][0] +> 接口地址: " + api[i][1] + "\n> 显示影响: " + api[i][2] + "\n> 影响说明: " + api[i][3] + "\n> 数据源: " + api[i][4] + "\n> 警报等级: " + api[i][5] + "\n> 应急预案: " + api[i][6] +" \n" + body # break #信息截断,不超过4096个字节 if len(body) > 4096: body = body[:4093] + "..." payload = { "msgtype": self.dingtalk_msgtype, self.dingtalk_msgtype : { "content": body }, "at": { "isAtAll":False } } try: response = requests.post(self.dingtalk_webhook_url, data=json.dumps(payload, cls=DateTimeEncoder), headers=headers) response.raise_for_status() except RequestException as e: raise EAException("Error request to Dingtalk: {0}".format(str(e))) def get_info(self): return { "type": "dingtalk", "dingtalk_webhook": self.dingtalk_webhook_url } pass |
2、在rules下增加dzqz.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 | #alert名称,全局唯一 name: xxx业务 #百分比类型 type: percentage_match #查询索引名称 index: test-* #描述 description: "成功率低于90%" #百分比保留小数后两位 percentage_format_string: '%.2f' #时间转换为本地时区 match_enhancements: - "elastalert.enhancements.TimeEnhancement" #查询延时(对非实时入库有帮助) query_delay: minutes: 2 #警报时间控制 #start_time: "4:00" #end_time: "20:00" #查询过滤,符合DSL filter: - terms: URL: - /hello/abc - /hello/ced #查询范围 buffer_time: minutes: 20 # 不进行重复提醒的字段,和realert联合使用,30分钟内这个query_key只告警一次 query_key: - orgPathName #doc_type: http_request #查询符合范围的条件 match_bucket_filter: - range: statusCode: from: 200 to: 403 #小于此百分比会发警报 min_percentage: 80 #大于此百分比会发警报 #max_percentage: 10 #桶间隔 bucket_interval: minutes: 5 #分母超过3次后警报(在桶内匹配的总数) min_denominator: 3 # realert: minutes: 10 exponential_realert: minutes: 60 #聚合信息,每分钟聚合一次 aggregation: schedule: "*/1 * * * *" #聚合的键值,不会合并发警报 aggregation_key: - URL #sync_bucket_interval: true #allow_buffer_time_overlap: true #use_run_every_query_size: true #警报器 #webhook 企微和钉钉都可用(**调用上边的警报方法**) alert: - "elastalert_modules.dzqz.DingTalkAlerter" dingtalk_webhook: "http://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=343ae32b-6428-4fbd-930e-xxxxxxxxxxxxxx" dingtalk_msgtype: "markdown" alert_text_type: alert_text_only alert_text: | > 业务范围: {} > 警报时间: {} > 接口地址: {} > 成功率: <font color="warning">{:.2f}%</font> alert_text_args: - name - "@timestamp" - URL - percentage |
警报结果
接口名称: H5密码登录
显示影响: 部分情形影响出示
影响说明: H5账密用户无法登录
数据源: XX系统
警报等级: S2
应急预案: -
业务范围: XXXX重保
警报时间: 2020-09-29 03:28 CST
接口地址: /hello/abc
成功率: 53.06%