Kapacitor alerts overview

Kapacitor makes it possible to handle alert messages in two different ways.

• The messages can be pushed directly to an event handler exposed through the Alert node.
• The messages can be published to a topic namespace to which one or more alert handlers can subscribe.

No matter which approach is used, the handlers need to be enabled and configured in the configuration file. If the handler requires sensitive information such as tokens and passwords, it can also be configured using the Kapacitor HTTP API.

Push to handler

Pushing messages to a handler is the basic approach presented in the Getting started with Kapacitor guide. This involves simply calling the relevant chaining method made available through the alert node. Messages can be pushed to log() files, the email() service, the httpOut() cache and many third party services.

Publish and subscribe

An alert topic is simply a namespace where alerts are grouped. When an alert event fires it can be published to a topic. Multiple handlers can subscribe (can be bound) to that topic and all handlers process each alert event for the topic. Handlers get bound to topics through the kapacitor command line client and handler binding files. Handler binding files can be written in yaml or json. They contain four key fields and one optional one.

• topic: declares the topic to which the handler will subscribe.
• id: declares the identity of the binding.
• kind: declares the type of event handler to be used. Note that this needs to be enabled in the kapacitord configuration.
• match: (optional) declares a match expression used to filter which alert events will be processed. See the section Match Expressions below.
• options: options specific to the handler in question. These are listed below in the section List of handlers

Example 1: A handler binding file for the slack handler and cpu topic

topic: cpu
id: slack
kind: slack
options:
  channel: '#kapacitor'

Example 1 could be saved into a file named slack_cpu_handler.yaml.

This can then be generated into a Kapacitor topic handler through the command line client.

$ kapacitor define-topic-handler slack_cpu_handler.yaml

Handler bindings can also be created over the HTTP API. See the Create a Handler section of the HTTP API document.

For a walk through on defining and using alert topics see the Using Alert Topics walk-through.

Handlers

A handler takes action on incoming alert events for a specific topic. Each handler operates on exactly one topic.

List of Handlers

The following is a list of available alert handlers and their options.

Aggregate

Aggreate multiple events into a single event.

Options:

Example:

kind: aggregate
options:
    interval: 5m
    topic: agg_5m

Send aggregate events of the past 5m to the agg_5m topic. Further handling of the aggregated events can be configured on the agg_5m topic.

Alerta

Send alert events to an Alerta instance.

Options:

Example:

kind: alerta
options:
    resource: system

Exec

Execute an external program, the alert data is passed over STDIN to the process.

Options:

Example:

kind: exec
options:
    prog: /path/to/executable

Hipchat

Send alert events to a Hipchat room.

Options:

Example:

kind: hipchat
options:
    room: '#alerts'

Log

Log alert events to a file.

Options:

Example:

kind: log
options:
    path: '/tmp/alerts.log'

Opsgenie

Send alert events to OpsGenie.

Options:

Example:

kind: opsgenie
options:
    teams:
        - rocket

Pagerduty

Send alert events to PagerDuty.

Options:

Example:

kind: pageduty

Pushover

Send alert events to Pushover.

Options:

Example:

kind: pushover
options:
    title: Alert from Kapacitor

Post

Post JSON encoded alert data to an HTTP endpoint.

Options:

Example:

kind: post
options:
    url: http://example.com

Publish

Publish events to another topic.

Options:

Example:

kind: publish
options:
    topics:
        - system
        - ops_team

Sensu

Send alert events to Sensu.

Options:

Example:

kind: sensu

Slack

Send alert events to Slack.

Options:

Example:

kind: slack
options:
    channel: '#alerts'

SMTP

Send alert events via email.

Options:

Example:

kind: smtp
options:
    to:
        - oncall1@example.com
        - oncall2@example.com

Snmptrap

Trigger SNMP traps for alert events.

Options:

Example:

kind: snmptrap
options:
    trap-oid: '1.1.1.1'
    data-list:
        oid: '1.3.6.1.2.1.1.7'
        type: i
        value: '{{ index .Field "value" }}'

Talk

Send alert events to a Talk instance. No options are available. See the Talk service configuration.

Example:

kind: talk

TCP

Send JSON encoded alert data to a TCP endpoint.

Options:

Example:

kind: tcp
options:
    address: 127.0.0.1:7777

Telegram

Send alert events to a Telegram instance.

Options:

Example:

kind: telegram

Victorops

Send alert events to a VictorOps instance.

Options:

Example:

kind: victorops
options:
    routing-key: ops_team

Match expressions

Alert handlers support match expressions that filter which alert events the handler processes.

A match expression is a TICKscript lambda expression. The data that triggered the alert is available to the match expression, including all fields and tags.

In addition to the data that triggered the alert metadata about the alert is available. This alert metadata is available via various functions.

Additionally the vars OK, INFO, WARNING, and CRITICAL have been defined to correspond with the return value of the level function.

For example to send only critical alerts to a handler, use this match expression:

match: level() == CRITICAL

Examples

Send only changed events to the handler:

match: changed() == TRUE

Send only WARNING and CRITICAL events to the handler:

match: level() >= WARNING

Send events with the tag “host” equal to s001.example.com to the handler:

match: "host" == 's001.example.com'