claranet · ghost · Sep 23, 2021 · xp-1000 · Sep 27, 2021 · ghost
@@ -75,6 +75,7 @@
 - [kubernetes-velero](#kubernetes-velero)
 - [kubernetes-volumes](#kubernetes-volumes)
 - [kubernetes-workloads-count](#kubernetes-workloads-count)
+- [logstash](#logstash)
 - [mdadm](#mdadm)
 - [memcached](#memcached)
 - [mongodb](#mongodb)
@@ -818,6 +819,20 @@
 |Kubernetes workloads count|-|-|X|X|-|
 
 
+## logstash
+
+|Detector|Critical|Major|Minor|Warning|Info|
+|---|---|---|---|---|---|
+|Logstash heartbeat|X|-|-|-|-|
+|Logstash events in high|-|-|X|X|-|
+|Logstash events in low|-|-|X|X|-|
+|Logstash events out high|-|-|X|X|-|
+|Logstash events out low|-|-|X|X|-|
+|Logstash cpu percent|-|-|X|X|-|
+|Logstash queued events|-|-|X|X|-|
+|Logstash queued disk|-|-|X|X|-|
+
+
 ## mdadm
 
 |Detector|Critical|Major|Minor|Warning|Info|

@@ -0,0 +1,142 @@
+# LOGSTASH SignalFx detectors
+
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+:link: **Contents**
+
+- [How to use this module?](#how-to-use-this-module)
+- [What are the available detectors in this module?](#what-are-the-available-detectors-in-this-module)
+- [How to collect required metrics?](#how-to-collect-required-metrics)
+  - [Monitors](#monitors)
+  - [Examples](#examples)
+  - [Metrics](#metrics)
+- [Related documentation](#related-documentation)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+## How to use this module?
+
+This directory defines a [Terraform](https://www.terraform.io/) 
+[module](https://www.terraform.io/docs/modules/usage.html) you can use in your
+existing [stack](https://github.com/claranet/terraform-signalfx-detectors/wiki/Getting-started#stack) by adding a 
+`module` configuration and setting its `source` parameter to URL of this folder:
+
+```hcl
+module "signalfx-detectors-smart-agent-logstash" {
+  source = "github.com/chungktran/terraform-signalfx-detectors.git//modules/smart-agent_logstash?ref={revision}"
+
+  environment   = var.environment
+  notifications = local.notifications
+}
+```
+
+Note the following parameters:
+
+* `source`: Use this parameter to specify the URL of the module. The double slash (`//`) is intentional  and required. 
+  Terraform uses it to specify subfolders within a Git repo (see [module
+  sources](https://www.terraform.io/docs/modules/sources.html)). The `ref` parameter specifies a specific Git tag in
+  this repository. It is recommended to use the latest "pinned" version in place of `{revision}`. Avoid using a branch 
+  like `master` except for testing purpose. Note that every modules in this repository are available on the Terraform 
+  [registry](https://registry.terraform.io/modules/claranet/detectors/signalfx) and we recommend using it as source 
+  instead of `git` which is more flexible but less future-proof.
+
+* `environment`: Use this parameter to specify the 
+  [environment](https://github.com/claranet/terraform-signalfx-detectors/wiki/Getting-started#environment) used by this 
+  instance of the module.
+  Its value will be added to the `prefixes` list at the start of the [detector 
+  name](https://github.com/claranet/terraform-signalfx-detectors/wiki/Templating#example).
+  In general, it will also be used in the `filtering` internal sub-module to [apply
+  filters](https://github.com/claranet/terraform-signalfx-detectors/wiki/Guidance#filtering) based on our default 
+  [tagging convention](https://github.com/claranet/terraform-signalfx-detectors/wiki/Tagging-convention) by default.
+
+* `notifications`: Use this parameter to define where alerts should be sent depending on their severity. It consists 
+  of a Terraform [object](https://www.terraform.io/docs/configuration/types.html#object-) where each key represents an 
+  available [detector rule severity](https://docs.signalfx.com/en/latest/detect-alert/set-up-detectors.html#severity) 
+  and its value is a list of recipients. Every recipients must respect the [detector notification 
+  format](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/detector#notification-format).
+  Check the [notification binding](https://github.com/claranet/terraform-signalfx-detectors/wiki/Notifications-binding) 
+  documentation to understand the recommended role of each severity.
+
+These 3 parameters alongs with all variables defined in [common-variables.tf](common-variables.tf) are common to all 
+[modules](../) in this repository. Other variables, specific to this module, are available in 
+[variables-gen.tf](variables-gen.tf).
+In general, the default configuration "works" but all of these Terraform 
+[variables](https://www.terraform.io/docs/configuration/variables.html) make it possible to 
+customize the detectors behavior to better fit your needs.
+
+Most of them represent usual tips and rules detailled in the 
+[guidance](https://github.com/claranet/terraform-signalfx-detectors/wiki/Guidance) documentation and listed in the 
+common [variables](https://github.com/claranet/terraform-signalfx-detectors/wiki/Variables) dedicated documentation.
+
+Feel free to explore the [wiki](https://github.com/claranet/terraform-signalfx-detectors/wiki) for more information about 
+general usage of this repository.
+
+## What are the available detectors in this module?
+
+This module creates the following SignalFx detectors which could contain one or multiple alerting rules:
+
+|Detector|Critical|Major|Minor|Warning|Info|
+|---|---|---|---|---|---|
+|Logstash heartbeat|X|-|-|-|-|
+|Logstash events in high|-|-|X|X|-|
+|Logstash events in low|-|-|X|X|-|
+|Logstash events out high|-|-|X|X|-|
+|Logstash events out low|-|-|X|X|-|
+|Logstash cpu percent|-|-|X|X|-|
+|Logstash queued events|-|-|X|X|-|
+|Logstash queued disk|-|-|X|X|-|
+
+## How to collect required metrics?
+
+This module uses metrics available from 
+[monitors](https://docs.signalfx.com/en/latest/integrations/agent/monitors/_monitor-config.html)
+available in the [SignalFx Smart 
+Agent](https://github.com/signalfx/signalfx-agent). Check the [Related documentation](#related-documentation) section for more 
+information including the official documentation of this monitor.
+
+
+Check the [integration
+documentation](https://docs.signalfx.com/en/latest/integrations/agent/monitors/logstash.html)
+in addition to the monitor one which it uses.
+
+### Monitors
+
+You have to enable the following `extraMetrics` in your monitor configuration:
+
+* `node.stats.pipelines.queue.queue_size_in_bytes`
+
+### Examples
+
+```yaml
+  - type: logstash
+    extraMetrics:
+    - node.stats.pipelines.queue.queue_size_in_bytes
+```
+
+
+### Metrics
+
+
+To filter only required metrics for the detectors of this module, add the 
+[datapointsToExclude](https://docs.signalfx.com/en/latest/integrations/agent/filtering.html) parameter to 
+the corresponding monitor configuration:
+
+```yaml
+    datapointsToExclude:
+      - metricNames:
+        - '*'
+        - '!node.stats.events.events.in'
+        - '!node.stats.events.events.out'
+        - '!node.stats.pipelines.queue.events_count'
+        - '!node.stats.pipelines.queue.queue_size_in_bytes'
+        - '!node.stats.process.process.cpu.percent'
+
+```
+
+
+
+## Related documentation
+
+* [Terraform SignalFx provider](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs)
+* [Terraform SignalFx detector](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/detector)
+* [Smart Agent monitor](https://docs.signalfx.com/en/latest/integrations/agent/monitors/logstash.html)
@@ -0,0 +1 @@
+../../common/module/filters-smart-agent.tf
@@ -0,0 +1 @@
+../../common/module/locals.tf
@@ -0,0 +1 @@
+../../common/module/modules.tf
@@ -0,0 +1 @@
+../../common/module/variables.tf
@@ -0,0 +1 @@
+../../common/module/versions.tf
@@ -0,0 +1,12 @@
+module: logstash
+name: heartbeat
+
+transformation: false
+aggregation: true
+
+signals:
+  signal:
+    metric: node.stats.events.events.in
+rules:
+  critical:
+
@@ -0,0 +1,21 @@
+module: logstash
+name: events in high
+
+transformation: ".min(over='10m')"
+aggregation: true
+
+signals:
+  signal:
+    metric: node.stats.events.events.in
+    rollup: delta
+rules:
+  warning:
+    description: is high
+    threshold: 25000
+    comparator: '>='
+    dependency: minor
+  minor:
+    description: is too high
+    threshold: 30000
+    comparator: '>='
+
@@ -0,0 +1,21 @@
+module: logstash
+name: events in low
+
+transformation: ".min(over='10m')"
+aggregation: true
+
+signals:
+  signal:
+    metric: node.stats.events.events.in
+    rollup: delta
+rules:
+  warning:
+    description: is low
+    threshold: 100
+    comparator: '<='
+    dependency: minor
+  minor:
+    description: is too low
+    threshold: 0
+    comparator: '<='
+
@@ -0,0 +1,21 @@
+module: logstash
+name: events out high
+
+transformation: ".min(over='10m')"
+aggregation: true
+
+signals:
+  signal:
+    metric: node.stats.events.events.out
+    rollup: delta
+rules:
+  warning:
+    description: is high
+    threshold: 25000
+    comparator: '>='
+    dependency: minor
+  minor:
+    description: is too high
+    threshold: 30000
+    comparator: '>='
+
@@ -0,0 +1,21 @@
+module: logstash
+name: events out low
+
+transformation: ".min(over='10m')"
+aggregation: true
+
+signals:
+  signal:
+    metric: node.stats.events.events.out
+    rollup: delta
+rules:
+  warning:
+    description: is low
+    threshold: 100
+    comparator: '<='
+    dependency: minor
+  minor:
+    description: is too low
+    threshold: 0
+    comparator: '<='
+
@@ -0,0 +1,19 @@
+module: logstash
+name: cpu percent
+
+transformation: ".min(over='10m')"
+aggregation: true
+
+signals:
+  signal:
+    metric: node.stats.process.process.cpu.percent
+rules:
+  warning:
+    description: is high
+    threshold: 90
+    comparator: '>='
+  minor:
+    description: is too high
+    threshold: 100
+    comparator: '>='
+
@@ -0,0 +1,21 @@
+module: logstash
+name: queued events
+
+transformation: ".min(over='10m')"
+aggregation: true
+
+signals:
+  signal:
+    metric: node.stats.pipelines.queue.events_count
+    rollup: latest
+rules:
+  warning:
+    description: is high
+    threshold: 1000000
+    comparator: '>='
+    dependency: minor
+  minor:
+    description: is too high
+    threshold: 2000000
+    comparator: '>='
+
@@ -0,0 +1,23 @@
+module: logstash
+name: queued disk
+
+transformation: ".min(over='10m')"
+aggregation: true
+
+signals:
+  disk:
+    metric: node.stats.pipelines.queue.queue_size_in_bytes
+    rollup: latest
+  signal:
+    formula: (disk / 1000000)
+rules:
+  warning:
+    description: is high
+    threshold: 8000
+    comparator: '>='
+    dependency: minor
+  minor:
+    description: is too high
+    threshold: 10000
+    comparator: '>='
+
@@ -0,0 +1,23 @@
+documentations:
+  - name: Smart Agent monitor
+    url: 'https://docs.signalfx.com/en/latest/integrations/agent/monitors/logstash.html'
+
+source_doc: |
+  Check the [integration
+  documentation](https://docs.signalfx.com/en/latest/integrations/agent/monitors/logstash.html)
+  in addition to the monitor one which it uses.
+
+  ### Monitors
+
+  You have to enable the following `extraMetrics` in your monitor configuration:
+
+  * `node.stats.pipelines.queue.queue_size_in_bytes`
+
+  ### Examples
+
+  ```yaml
+    - type: logstash
+      extraMetrics:
+      - node.stats.pipelines.queue.queue_size_in_bytes
+  ```
+