1

I've just deployed ELK in an attempt to see if it can be used for monitoring logs and alerting about issues.

What I need to be able to detect is mostly missing records: Say a log record was received, saying a user is about to make some sort of request. I then expect to see the log record saying the request has been made.

If the second record was not received within X seconds from the arrival of the first, then something is wrong, and I want to alert about it.

Any ideas how to achieve that?

SivanBH
  • 392
  • 3
  • 13

1 Answers1

1

I have used the elapsed{} filter to do something similar. With it, you declare the first event and the "matching" event. If the matching event doesn't appear within a period of time, it will generate an "expired event" that you could check for.

Alain Collins
  • 16,268
  • 2
  • 32
  • 55