Categorize_text : better log alerts in elasticsearch

12/22/2021

Jérémy Gachet

Advanced Usage, Spoon's Elastic posts

TL:DR

New aggregation on unstructured (semi-structured) texts with the 7.16
Categorize logs for an alerte
Better granularity for information message

Build Better Alerts with the new aggregation of Elasticsearch

We are working on an alerting system for one of Spoon Consulting clients on Elasticsearch.

Client needs are very classical :

Send an alert when I have more than 5 error logs within less than 10 min
Know encountered errors

Usually to do this I would have to build a query with a top_hits aggregation.

Then within the error_count bucket, we could know the last 10 errors encountered.

But with this solution we only have a partial view of the problems.
Thanks to the new Categorize_text aggregation, we can now do far better :

GET logs-*/_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": [ # filter on time range
        {
          "range": {
            "@timestamp": {
              "gte": "now-10m/m"
            }
          }
        },
        {
          "term": {
            "log.level": "ERROR" # return only errors
          }
        }
      ]
    }
  },
  "aggs": { # get error count for 10 minutes buckets if elastic find more than 1 doc
    "per_10_min": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "10m",
        "min_doc_count": 1
      },
      "aggs": { # within these errors split by log message informations
        "categories": {
          "categorize_text": {
            "field": "message",
             "categorization_filters": ["\\\\.*"], # add a regex filter to remove specific data of log (id, filename etc…)
            "size": 10
          }
        }
      }
    }
  }
}

And now the result is:

      "buckets" : [
        {
          "key_as_string" : "2021-12-08T09:30:00.000Z",
          "key" : 1638955800000,
          "doc_count" : 26, #total number of errors in the last 10 minutes
          "categories" : {
            "buckets" : [
              {
                "doc_count" : 6, # 6 errors of that type
                "key" : "Aborted process Execution"
              },
              {
                "doc_count" : 20, # 20 files not found
                "key" : "Unable to load file" # file names has been removed by the regex filter
              }
            ]
          }
        }
      ]
    }
  }
}

It’s now quick and easy to create a body for the email alert, with all errors information.

Categorize_search and Kibana

At the time being, the aggregation is still in beta, so it is not implemented in Kibana.
For users of the powerful kibana alerting, no doubt it will soon be implemented.

Spoon consulting is a certified partner of Elastic

As a certified partner of the Elastic company, Spoon Consulting offers a high level consulting for all kinds of companies.

Read more information on your personal use Elasticsearch use case on Spoon consulting’s posts

Or contact Spoon consulting now.