Skip to main content
Sumo Logic

Install the Elasticsearch Monitors, App, and View the Dashboards

This page has instructions for installing the Sumo App for Elasticsearch and the descriptionfor the app dashboard.

This page has instructions for installing Sumo Logic Monitors for Elasticsearch, the app, and descriptions of each of the app dashboards. 

Install Monitors

Sumo Logic has provided pre-packaged alerts available through Sumo Logic monitors to help you proactively determine if an Elasticsearch cluster is available and performing as expected. These monitors are based on metric and log data and include pre-set thresholds that reflect industry best practices and recommendations. For more information about individual alerts, see Elasticsearch Alerts.

To install these monitors, you must have the Manage Monitors role capability.

You can install monitors by importing a JSON file or using a Terraform script.

Method 1: Install Monitors by importing a JSON file

  1. Download the JSON file that describes the monitors. 
  2. The JSON contains the alerts that are based on Sumo Logic searches that do not have any scope filters, and therefore will be applicable to all Elasticsearch clusters, the data for which has been collected via the instructions in the previous sections.  

However, if you would like to restrict these alerts to specific clusters or environments, update the JSON file by replacing the text db_cluster=* with <Your Custom Filter>.  

Custom filter examples: 

  1. For alerts applicable only to a specific cluster, your custom filter would be:  db_cluster=dev-elasticsearch-01

  2. For alerts applicable to all clusters that start with elasticsearch-prod, your custom filter would be: db_cluster=elasticsearch-prod*

  3. For alerts applicable to a specific clusters, within a production environment, your custom filter would be: 

db_cluster=dev-elasticsearch-01 AND environment=prod (This assumes you have set the optional environment tag while configuring collection)

  1. Go to Manage Data > Alerts > Monitors.

  2. Click Add.

  3. Click Import.
    import-option.png

  4. On the Import Content popup, enter Elasticsearch in the Name field, paste in the JSON into the popup, and click Import.
    import-content.png

  5. The monitors are created in a "Elasticsearch" folder. The monitors are disabled by default. See the Monitors topic for information about enabling monitors and configuring notifications or connections.

Method 2: Install Monitors using a Terraform script

Generate a Sumo Logic access key and ID

Generate an access key and access ID for a user that has the Manage Monitors role capability. For instructions see  Access Keys

Download and install Terraform

Download Terraform 0.13 or later, and install it. 

Download the Sumo Logic Terraform package for Elasticsearch monitors

The alerts package is available in the Sumo Logic github repository. You can either download it using the git clone command or as a zip file. 

Alert Configuration 

After extracting the package , navigate to the  terraform-sumologic-sumo-logic-monitor/monitor_packages/Elasticsearch/ directory.

Edit the Elasticsearch.auto.tfvars file and add the Sumo Logic Access Key and Access ID from Step 1 and your Sumo Logic deployment. If you're not sure of your deployment, see Sumo Logic Endpoints and Firewall Security

access_id   = "<SUMOLOGIC ACCESS ID>"

access_key  = "<SUMOLOGIC ACCESS KEY>"

environment = "<SUMOLOGIC DEPLOYMENT>"

The Terraform script installs the alerts without any scope filters, if you would like to restrict the alerts to specific clusters or environments, update the elasticsearch_data_source variable. For example:

To configure alerts for...

Set elasticsearch_data_source to something like :

A specific clusters

db_cluster=elasticsearch.prod.01

All clusters in an environment

environment=prod

Multiple clusters using a wildcard

db_cluster=elasticsearch-prod*

A specific clusters within a specific environment

db_cluster=elasticsearch-1 and environment=prod

This assumes you have configured and applied Fields as described in Step 1: Configure Fields of the Sumo Logic of the Collect Logs and Metrics for Elasticsearch topic.

All monitors are disabled by default on installation. To enable all of the monitors, set the monitors_disabled parameter to false.

By default, the monitors will be located in a "Elasticsearch" folder on the Monitors page. To change the name of the folder, update the monitor folder name in the folder variable in the Elasticsearch.auto.tfvars file.

If you want the alerts to send email or connection notifications, follow the instructions in the next section.

Step 5: Email and Connection Notification Configuration Examples

Edit the Elasticsearch_notifications.auto.tfvars file to populate the connection_notifications and email_notifications sections. Examples are provided below.

Pagerduty connection example

In the variable definition below, replace <CONNECTION_ID> with the connection ID of the Webhook connection. You can obtain the Webhook connection ID by calling the Monitors API.

connection_notifications = [
    {
      connection_type       = "PagerDuty",
      connection_id         = "<CONNECTION_ID>",
      payload_override      = "{\"service_key\": \"your_pagerduty_api_integration_key\",\"event_type\": \"trigger\",\"description\": \"Alert: Triggered {{TriggerType}} for Monitor {{Name}}\",\"client\": \"Sumo Logic\",\"client_url\": \"{{QueryUrl}}\"}",
      run_for_trigger_types = ["Critical", "ResolvedCritical"]
    },
    {
      connection_type       = "Webhook",
      connection_id         = "<CONNECTION_ID>",
      payload_override      = "",
      run_for_trigger_types = ["Critical", "ResolvedCritical"]
    }
  ]

Email notifications example

email_notifications = [
    {
      connection_type       = "Email",
      recipients            = ["abc@example.com"],
      subject               = "Monitor Alert: {{TriggerType}} on {{Name}}",
      time_zone             = "PST",
      message_body          = "Triggered {{TriggerType}} Alert on {{Name}}: {{QueryURL}}",
      run_for_trigger_types = ["Critical", "ResolvedCritical"]
    }
  ]
Install Monitors
  1. Navigate to the terraform-sumologic-sumo-logic-monitor/monitor_packages/Elasticsearch/ directory and run terraform init. This will initialize Terraform and download the required components.
  2. Run terraform plan to view the monitors that Terraform will create or modify.
  3. Run terraform apply.

This section demonstrates how to install the Elasticsearch App.

Install the App

To install the app:

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

  1. From the App Catalog, search for and select the app. 
  2. Select the version of the service you're using and click Add to Library.
  1. To install the app, complete the following fields.
    1. App Name. You can retain the existing name, or enter a name of your choice for the app.

    2. Data Source. Select either of these options for the data source.

      • Choose Source Category, and select a source category from the list.

      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).

    3. Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
  2. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. 

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps. 

Dashboard Filter with Template Variables

Template variables provide dynamic dashboards that rescope data on the fly. As you apply variables to troubleshoot through your dashboard, you can view dynamic changes to the data for a fast resolution to the root cause. For more information, see the Filter with template variables help page.

Elasticsearch - Overview

The Elasticsearch - Overview dashboard provides the health of Elasticsearch clusters, shards analysis, resource utilization of Elasticsearch host & clusters, search and indexing performance.

ElasticSearch - Total Operations Stats

The Elasticsearch - Total Operations stats dashboard provides information on the operations of the Elasticsearch system.

ElasticSearch - Thread Pool

The Elasticsearch- Thread Pool dashboard analyzes thread pools operations to manage memory consumption of nodes in the cluster.

Elasticsearch - Resource

The Elasticsearch - Resource dashboard monitors JVM Memory, Network, Disk, Network and CPU of Elasticsearch node.

ElasticSearch - Performance Stats

The Elasticsearch - Performance Stats dashboard performance statistics such as latency and Translog operations and size.

ElasticSearch - Indices

The Elasticsearch - Indices dashboard monitors Index operations, size and latency. It also provides analytics on doc values, fields, fixed bitsets, and terms memory.

Elasticsearch - Documents

The Elasticsearch - Documents dashboard provides analytics and monitoring on Elasticsearch documents.

ElasticSearch - Caches

The Elasticsearch - Caches dashboard allows you to monitor query cache size, evictions and field data memory size.

ElasticSearch - Errors And Warnings

The ElasticSearch - Errors And Warnings dashboard shows errors and warnings by Elasticsearch components.

ElasticSearch - Garbage Collection

The Elasticsearch - Garbage Collector dashboard provides information on the garbage collection of the Java Virtual Machine.

ElasticSearch - Login And Connections

The ElasticSearch - Login And Connections dashboard shows geo location of client connection requests, failed connection logins and count of failed login attempts

ElasticSearch - Operations

The Elasticsearch - Operations dashboard allows you to monitor server stats and events such as node up/down, index creation/deletion. It also provides disk usage and cluster health status.

ElasticSearch - Queries

The ElasticSearch - Queries dashboard shows Elasticsearch provides analytics on slow queries, and query shards.