# you can disable an alarm notification by setting the 'to' line to: silent

# 'red' is a threshold, can't lookup the 'red' dimension - using simple pattern is a workaround.

 template: elasticsearch_cluster_health_status_red
       on: elasticsearch.cluster_health_status
    class: Errors
     type: SearchEngine
component: Elasticsearch
   lookup: average -5s unaligned of *ed
    every: 10s
    units: status
     crit: $this == 1
    delay: down 5m multiplier 1.5 max 1h
  summary: Elasticsearch cluster ${label:cluster_name} status
     info: Elasticsearch cluster ${label:cluster_name} health status is red.
       to: sysadmin

# the idea of '-10m' is to handle yellow status after node restart,
# (usually) no action is required because Elasticsearch will automatically restore the green status.
 template: elasticsearch_cluster_health_status_yellow
       on: elasticsearch.cluster_health_status
    class: Errors
     type: SearchEngine
component: Elasticsearch
   lookup: average -10m unaligned of yellow
    every: 1m
    units: status
     warn: $this == 1
    delay: down 5m multiplier 1.5 max 1h
  summary: Elasticsearch cluster ${label:cluster_name} status
     info: Elasticsearch cluster ${label:cluster_name} health status is yellow.
       to: sysadmin

 template: elasticsearch_node_index_health_red
       on: elasticsearch.node_index_health
    class: Errors
     type: SearchEngine
component: Elasticsearch
   lookup: average -5s unaligned of *ed
    every: 10s
    units: status
     warn: $this == 1
    delay: down 5m multiplier 1.5 max 1h
  summary: Elasticsearch cluster ${label:cluster_name} index ${label:index} status
     info: Elasticsearch cluster ${label:cluster_name} index ${label:index} health status is red.
       to: sysadmin

# don't convert 'lookup' value to seconds in 'calc' due to UI showing seconds as hh:mm:ss (0 as now).

 template: elasticsearch_node_indices_search_time_query
       on: elasticsearch.node_indices_search_time
    class: Workload
     type: SearchEngine
component: Elasticsearch
   lookup: average -10m unaligned of query
    every: 10s
    units: milliseconds
     warn: $this > (($status >= $WARNING)  ? (20 * 1000) : (30 * 1000))
    delay: down 5m multiplier 1.5 max 1h
  summary: Elasticsearch cluster ${label:cluster_name} node ${label:node_name} query performance
     info: Elasticsearch cluster ${label:cluster_name} node ${label:node_name} search performance is degraded, queries run slowly.
       to: sysadmin

 template: elasticsearch_node_indices_search_time_fetch
       on: elasticsearch.node_indices_search_time
    class: Workload
     type: SearchEngine
component: Elasticsearch
   lookup: average -10m unaligned of fetch
    every: 10s
    units: milliseconds
     warn: $this > (($status >= $WARNING)  ? (3 * 1000) : (5 * 1000))
     crit: $this > (($status == $CRITICAL) ? (5 * 1000) : (30 * 1000))
    delay: down 5m multiplier 1.5 max 1h
  summary: Elasticsearch cluster ${label:cluster_name} node ${label:node_name} fetch performance
     info: Elasticsearch cluster ${label:cluster_name} node ${label:node_name} search performance is degraded, fetches run slowly.
       to: sysadmin