Logging pipeline — alert when ingest rate drops
Filebeat / Logstash silently died on one edge node. Elasticsearch ingest rate fell 40 % but no one watches dashboards. Sentry without logs is blindness.
Recipe
bash
#!/usr/bin/env bash
# Compares 1-minute index document count delta against expected floor.
ES="${ES:-http://localhost:9200}"
INDEX_PREFIX="${INDEX_PREFIX:-logs-}"
MIN_DOCS_PER_MIN="${MIN_DOCS_PER_MIN:-100}"
NOW=$(date -u -d '1 min ago' +"%Y-%m-%dT%H:%M:%SZ")
COUNT=$(curl -sS -X POST "$ES/${INDEX_PREFIX}*/_count" \
-H "Content-Type: application/json" \
-d "{\"query\":{\"range\":{\"@timestamp\":{\"gte\":\"$NOW\"}}}}" \
| python3 -c 'import json,sys; print(json.load(sys.stdin).get("count", 0))')
[ -z "$COUNT" ] && { echo "no-data"; exit 1; }
[ "$COUNT" -lt "$MIN_DOCS_PER_MIN" ] && echo "low $COUNT" || echo "ok $COUNT"Same thing in Enterno.io
Endpoint + Enterno HTTP monitor with "ok" keyword every minute = paged when the pipeline drops. Pair with a heartbeat on Filebeat itself — second line of defense.
Related recipes
Ensure your site returns 2xx every minute, alert to Slack/Telegram on failure.
Minimal script that checks an SSL certificate and alerts 14 days before expiry.
Detect the moment a replica falls behind the primary by more than 10 seconds.