SumoLogic · sumoanema · May 2, 2025 · Jan 29, 2025 · Jan 29, 2025 · Jan 29, 2025
@@ -222,4 +222,4 @@ Use this dashboard to:
 
 * Identify malicious IPs performing operations on DynamoDB tables using Sumo Logic Threat Intel.
 
-<img src={useBaseUrl('img/integrations/amazon-aws/AWS-DynamoDB-Threat-Intel.png')} alt="Amazon DynamoDB" />
+<img src={useBaseUrl('img/integrations/amazon-aws/AWS-DynamoDB-Threat-Intel.png')} alt="Amazon DynamoDB" />
@@ -62,42 +62,8 @@ The Elasticsearch app is a unified logs and metrics app that helps you monitor t
 
 Configuring log and metric collection for the Elasticsearch app includes the following tasks.
 
-### Step 1: Configure Fields in Sumo Logic
 
-Create the following Fields in Sumo Logic before configuring the collection. This ensures that your logs and metrics are tagged with relevant metadata required by the app dashboards. For information on setting up fields, see [Sumo Logic Fields](/docs/manage/fields).
-
-<Tabs
-  groupId="k8s-nonk8s"
-  defaultValue="k8s"
-  values={[
-    {label: 'Kubernetes environments', value: 'k8s'},
-    {label: 'Non-Kubernetes environments', value: 'non-k8s'},
-  ]}>
-
-<TabItem value="k8s">
-
-If you're using Elasticsearch in a Kubernetes environment, create the fields:
-
-* `pod_labels_component`
-* `pod_labels_environment`
-* `pod_labels_db_system`
-* `pod_labels_db_cluster`
-
-</TabItem>
-<TabItem value="non-k8s">
-
-If you're using Elasticsearch in a non-Kubernetes environment, create the fields:
-
-* `component`
-* `environment`
-* `db_system`
-* `db_cluster`
-* `pod`
-
-</TabItem>
-</Tabs>
-
-### Step 2: Configure Collection for Elasticsearch
+### Configure Collection for Elasticsearch
 
 <Tabs
   groupId="k8s-nonk8s"
@@ -368,92 +334,37 @@ At this point, Elasticsearch logs should start flowing into Sumo Logic.
 </TabItem>
 </Tabs>
 
-## Installing Elasticsearch Monitors
-
-Sumo Logic has provided pre-packaged alerts available through [Sumo Logic monitors](/docs/alerts/monitors) to help you proactively determine if an Elasticsearch cluster is available and performing as expected. These monitors are based on metric and log data and include pre-set thresholds that reflect industry best practices and recommendations. For more information about individual alerts, see [Elasticsearch Alerts](#elasticsearch-alerts).
-
-To install these monitors, you must have the **Manage Monitors** role capability. You can install monitors by importing a JSON file or using a Terraform script. There are limits to how many alerts can be enabled. For more information, see [Monitors](/docs/alerts/monitors/create-monitor) for details.
-
-### Method 1: Importing a JSON file
-
-1. Download the [JSON file](https://github.com/SumoLogic/terraform-sumologic-sumo-logic-monitor/blob/main/monitor_packages/Elasticsearch/Elasticsearch.json) that describes the monitors.
-2. The [JSON](https://github.com/SumoLogic/terraform-sumologic-sumo-logic-monitor/blob/main/monitor_packages/Elasticsearch/Elasticsearch.json) contains the alerts that are based on Sumo Logic searches that do not have any scope filters, and therefore will be applicable to all Elasticsearch clusters, the data for which has been collected via the instructions in the previous sections. However, if you would like to restrict these alerts to specific clusters or environments, update the JSON file by replacing the text `db_cluster=*` with `<Your Custom Filter>`. Custom filter examples:
-   * For alerts applicable only to a specific cluster, your custom filter would be: `db_cluster=dev-elasticsearch-01`
-   * For alerts applicable to all clusters that start with `elasticsearch-prod`, your custom filter would be: `db_cluster=elasticsearch-prod*`
-   * For alerts applicable to a specific clusters, within a production environment, your custom filter would be: `db_cluster=dev-elasticsearch-01` AND `environment=prod`. This assumes you have set the optional environment tag while configuring collection.
-3. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Monitoring > Monitors**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Alerts > Monitors**. You can also click the **Go To...** menu at the top of the screen and select **Monitors**. 
-4. Click **Add**.
-5. Click **Import**.
-6. On the **Import Content popup**, enter **Elasticsearch** in the Name field, paste in the JSON into the popup, and click **Import**.
-7. The monitors are created in a **Elasticsearch** folder. The monitors are disabled by default. See the [Monitors](/docs/alerts/monitors) topic for information about enabling monitors and configuring notifications or connections.
 
-### Method 2: Using a Terraform script
+## Installing the Elasticsearch app
 
-1. Generate a Sumo Logic access key and ID for a user that has the **Manage Monitors** role capability. For instructions, see [Access Keys](/docs/manage/security/access-keys).
-2. Download [Terraform 0.13](https://www.terraform.io/downloads.html) or later, and install it.
-3. Download the Sumo Logic Terraform package for Elasticsearch monitors. The alerts package is available in the Sumo Logic GitHub [repository](https://github.com/SumoLogic/terraform-sumologic-sumo-logic-monitor/tree/main/monitor_packages/Elasticsearch). You can either download it using the git clone command or as a zip file.
-4. Alert Configuration. After extracting the package, navigate to the `terraform-sumologic-sumo-logic-monitor/monitor_packages/Elasticsearch/` directory.
-   * Edit the `Elasticsearch.auto.tfvars` file and add the Sumo Logic Access Key and Access ID from Step 1 and your Sumo Logic deployment. If you're not sure of your deployment, see [Sumo Logic Endpoints and Firewall Security](/docs/api/getting-started#sumo-logic-endpoints-by-deployment-and-firewall-security).
-    ```bash
-    access_id   = "<SUMOLOGIC ACCESS ID>"
-    access_key  = "<SUMOLOGIC ACCESS KEY>"
-    environment = "<SUMOLOGIC DEPLOYMENT>"
-    ```
-   * The Terraform script installs the alerts without any scope filters. If you would like to restrict the alerts to specific clusters or environments, update the `elasticsearch_data_source` variable. For example:
-     * To configure alerts for a specific cluster, set `elasticsearch_data_source` to something like `db_cluster=elasticsearch.prod.01`
-     * To configure alerts for all clusters in an environment, set `elasticsearch_data_source` to something like `environment=prod`
-     * To configure alerts for multiple clusters using a wildcard, set `elasticsearch_data_source` to something like `db_cluster=elasticsearch-prod*`
-     * To configure alerts for a specific clusters within a specific environment, set `elasticsearch_data_source` to something like `db_cluster=elasticsearch-1` and `environment=prod`. This assumes you have configured and applied Fields as described in  [Configure Sumo Logic Fields](#step-1-configure-fields-in-sumo-logic).
-
-  All monitors are disabled by default on installation. To enable all of the monitors, set the `monitors_disabled` parameter to `false`. By default, the monitors will be located in a "Elasticsearch" folder on the **Monitors** page. To change the name of the folder, update the monitor folder name in the folder variable in the `Elasticsearch.auto.tfvars` file.
-5. If you want your alerts to send email or connection notifications, edit the `Elasticsearch_notifications.auto.tfvars` file to populate the `connection_notifications` and `email_notifications` sections. Examples are provided below. In the variable definition below, replace `<CONNECTION_ID>` with the connection ID of the Webhook connection. You can obtain the Webhook connection ID by calling the [Monitors API](https://api.sumologic.com/docs/#operation/listConnections).
-```bash title="Pagerduty connection example"
-connection_notifications = [
-    {
-      connection_type       = "PagerDuty",
-      connection_id         = "<CONNECTION_ID>",
-      payload_override      = "{\"service_key\": \"your_pagerduty_api_integration_key\",\"event_type\": \"trigger\",\"description\": \"Alert: Triggered {{TriggerType}} for Monitor {{Name}}\",\"client\": \"Sumo Logic\",\"client_url\": \"{{QueryUrl}}\"}",
-      run_for_trigger_types = ["Critical", "ResolvedCritical"]
-    },
-    {
-      connection_type       = "Webhook",
-      connection_id         = "<CONNECTION_ID>",
-      payload_override      = "",
-      run_for_trigger_types = ["Critical", "ResolvedCritical"]
-    }
-  ]
-```
+import AppInstall2 from '../../reuse/apps/app-install-only-k8s.md';
 
-For information about overriding the payload for different connection types, see [Set Up Webhook Connections](/docs/alerts/webhook-connections/set-up-webhook-connections).
-
-```bash title="Email notifications example"
-email_notifications = [
-    {
-      connection_type       = "Email",
-      recipients            = ["abc@example.com"],
-      subject               = "Monitor Alert: {{TriggerType}} on {{Name}}",
-      time_zone             = "PST",
-      message_body          = "Triggered {{TriggerType}} Alert on {{Name}}: {{QueryURL}}",
-      run_for_trigger_types = ["Critical", "ResolvedCritical"]
-    }
-  ]
-```
-6. Installation.
-   1. Navigate to the `terraform-sumologic-sumo-logic-monitor/monitor_packages/Elasticsearch/` directory and run terraform init. This will initialize Terraform and download the required components.
-   2. Run `terraform plan` to view the monitors that Terraform will create or modify.
-   3. Run `terraform apply`.
+<AppInstall2 />
 
-## Installing the Elasticsearch app
+As part of the app installation process, the following fields will be created by default:
+* `component`
+* `environment`
+* `db_system`
+* `db_cluster`
+* `pod`
+* `db_cluster_address`
+* `db_cluster_port`
 
-import AppInstall from '../../reuse/apps/app-install.md';
+Additionally, if you're using Elasticsearch in the Kubernetes environment, the following additional fields will be created by default during the app installation process:
+* `pod_labels_component`
+* `pod_labels_environment`
+* `pod_labels_db_system`
+* `pod_labels_db_cluster`
+* `pod_labels_db_cluster_address`
+* `pod_labels_db_cluster_port`
 
-<AppInstall/>
+For information on setting up fields, see [Fields](/docs/manage/fields).
 
 ## Viewing Elasticsearch dashboards
 
-:::tip Filter with template variables    
-Template variables provide dynamic dashboards that can rescope data on the fly. As you apply variables to troubleshoot through your dashboard, you view dynamic changes to the data for a quicker resolution to the root cause. You can use template variables to drill down and examine the data on a granular level. For more information, see [Filter with template variables](/docs/dashboards/filter-template-variables.md).
-:::
+import ViewDashboards from '../../reuse/apps/view-dashboards.md';
+
+<ViewDashboards/>
 
 ### Overview
 
@@ -533,9 +444,13 @@ The **ElasticSearch - Queries** dashboard shows Elasticsearch provides analytics
 
 <img src={useBaseUrl('img/integrations/databases/elasticsearch-q.png')} alt="elasticsearch dashboards" />
 
-## Elasticsearch Alerts
+## Create monitors for Elasticsearch app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
 
-Sumo Logic has provided out-of-the-box alerts available via[ Sumo Logic monitors](/docs/alerts/monitors) to help you quickly determine if the Elasticsearch database cluster is available and performing as expected.
+### Elasticsearch Alerts
 
 | Alert Type (Metrics/Logs) | Alert Name | Alert Description | Trigger Type (Critical / Warning) | Alert Condition | Recover Condition |
 |---|---|---|---|---|---|
Original file line number	Diff line number	Diff line change
Expand Up		@@ -222,4 +222,4 @@ Use this dashboard to:

		* Identify malicious IPs performing operations on DynamoDB tables using Sumo Logic Threat Intel.

		<img src={useBaseUrl('img/integrations/amazon-aws/AWS-DynamoDB-Threat-Intel.png')} alt="Amazon DynamoDB" />
		<img src={useBaseUrl('img/integrations/amazon-aws/AWS-DynamoDB-Threat-Intel.png')} alt="Amazon DynamoDB" />