Sensu Query Expressions
How do Sensu query expressions work?
Sensu query expressions (SQE) are based on govaluate expressions, and provide additional functionalities for Sensu usage (like nested parameters and custom functions) so Sensu resources can be directly evaluated. SQE should always return true or false.
New and improved expressions
Sensu 1 uses Ruby expressions, which are not available in Sensu 2, being written in Go. Therefore, the syntax has been changed a bit but in return, it is now possible to use custom functions, which allow more complex expressions.
Sensu query expressions specification
All govaluate operators are available in Sensu query expressions. However modifier operators may not be used in Sensu assets.
hour: returns the hour, in UTC and in the 24-hour time notation, of a UNIX Epoch time.
// event.Timestamp equals to 1520275913, which is Monday, March 5, 2018 6:51:53 PM UTC // The following expression returns true hour(event.Timestamp) >= 17
weekday: returns a number representing the day of the week, where Sunday equals
0, of a UNIX Epoch time.
// event.Timestamp equals to 1520275913, which is Monday, March 5, 2018 6:51:53 PM UTC // The following expression returns false weekday(event.Timestamp) == 0
Sensu query expressions examples
Simple evaluation of an event attribute
The following example returns true if the event’s entity contains a custom
Environment that is equal to
event.Entity.Environment == 'production'
Evaluating the weekday
The following example returns true if the event occurred on a weekday.
weekday(event.Timestamp) >= 1 && weekday(event.Timestamp) <= 5
Evaluating office hours
The following example returns true if the event occurred between 9 AM and 5 PM UTC.
hour(event.Timestamp) >= 9 && hour(event.Timestamp) <= 17