Ok, thanks a lot !!! It gets a bit clearer 1. Regarding the policy you sent me a. Input stream and output stream use the same stream. Is that normal ? b. In the 'definition' block, you do 'from' a stream ( HDFS_AUDIT_LOG_ENRICHED_STREAM_SANDBOX) which is neither defined in the input stream nor the output stream. Is that normal ? c. In the 'definition' block, you insert into 'Audit_log_alert'. What is that ? Should it be a stream ? or a kafka topic ?
2. I read the examples given here: https://cwiki.apache.org/confluence/display/EAG/Quick+Start+with+Alert+Engine+through+API. The policy shown in this page (chapter 5.1) seems more consistant to me. I would like to POST it to my eagle server, but a. When installing the 'Hdfs Audit Log Monitor' application, it created only one hdfs audit log stream (HDFS_AUDIT_LOG_ENRICHED_STREAM_SANDBOX). How can I create another stream (e.g. HDFS_AUDIT_LOG_ENRICHED_STREAM_OUT_SANDBOX) ? Jean On Wed, Mar 22, 2017 at 12:25 PM, SUDHA JENSLIN <[email protected]> wrote: > Post : http://localhost:9090/rest/metadata/policies > > > -sudha Jenslin > > > > On Mar 22, 2017, at 4:47 PM, Jean Rossier <[email protected]> wrote: > > Hi Jean, > > You can create policies either through rest API or through Eagle UI. > > Rest API: > Post : > > { > "name": "hdfsPolicy_1", > "description": "hdfsPolicy", > "inputStreams": [ > "HDFS_AUDIT_LOG_ENRICHED_STREAM_EAGLE_LP" > ], > "outputStreams": [ > "HDFS_AUDIT_LOG_ENRICHED_STREAM_EAGLE_LP" > ], > "definition": { > "type": "siddhi", > "value": "from HDFS_AUDIT_LOG_ENRICHED_STREAM_SANDBOX[src=='/tmp'] > select * insert into Audit_log_alert" > }, > "alertDefinition": > {"templateType":"TEXT", > "subject”:”Test Alert : eagle alert", > "body”:"Tmp : test alert", > "severity":"CRITICAL", > "category":"test" > }, > "partitionSpec": [ > { > "streamId": "HDFS_AUDIT_LOG_ENRICHED_STREAM_EAGLE_LP", > "type": "GROUPBY", > "columns" : [ > "user" > ] > } > ], > "parallelismHint": 2 > } > > You can follow the below given document: > https://cwiki.apache.org/confluence/display/EAG/5.1+Create+Alert+Policy > https://cwiki.apache.org/confluence/display/EAG/Quick+ > Start+with+Alert+Engine+through+API > > Regards, > Sudha Jenslin > > > -- *Jean Rossier* *Sqooba (Schweiz) AG*Parkterrasse 14 3012 Bern eMail: [email protected] <[email protected]>Mobile: +41 79 643 96 57 Web: www.sqooba.io
