Reputation: 2660
ElastAlert Not working
I am trying to make a rule on elastAlert.
Config.yaml
rules_folder: example_rules
run_every:
minutes: 1
buffer_time:
minutes: 1
es_host: localhost
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
days: 2
example_rules/example_frequency.yaml:
name: Example rule
type: frequency
index: sample
num_events: 1
timeframe:
hours: 4
filter:
- term:
message: "hi"
alert:
- "email"
email:
- "[email protected]"
When I do :
GET sample/_search?q=*
I get:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 4,
"max_score": 1,
"hits": [
{
"_index": "sample",
"_type": "blog",
"_id": "2",
"_score": 1,
"_source": {
"@timestamp": "2016-05-27T17:32:00",
"message": "hi"
}
},
{
"_index": "sample",
"_type": "blog",
"_id": "4",
"_score": 1,
"_source": {
"@timestamp": "2016-05-27T12:15:00",
"message": "hi"
}
},
{
"_index": "sample",
"_type": "blog",
"_id": "1",
"_score": 1,
"_source": {
"@timestamp": "2016-05-27T17:25:00",
"message": "hi"
}
},
{
"_index": "sample",
"_type": "blog",
"_id": "3",
"_score": 1,
"_source": {
"@timestamp": "2016-05-27T17:45:00",
"message": "hi"
}
}
]
}
}
But when I do python -m elastalert.elastalert --verbose --rule example_frequency.yaml , I get this :
INFO:elastalert:Starting up
INFO:elastalert:Queried rule Example rule from 2016-05-27 17:43 IST to 2016-05-27 17:44 IST: 0 hits
INFO:elastalert:Ran Example rule from 2016-05-27 17:43 IST to 2016-05-27 17:44 IST: 0 query hits, 0 matches, 0 alerts sent
INFO:elastalert:Sleeping for 59 seconds
INFO:elastalert:Queried rule Example rule from 2016-05-27 17:44 IST to 2016-05-27 17:45 IST: 0 hits
INFO:elastalert:Ran Example rule from 2016-05-27 17:44 IST to 2016-05-27 17:45 IST: 0 query hits, 0 matches, 0 alerts sent
INFO:elastalert:Sleeping for 59 seconds
INFO:elastalert:Queried rule Example rule from 2016-05-27 17:45 IST to 2016-05-27 17:46 IST: 0 hits
INFO:elastalert:Ran Example rule from 2016-05-27 17:45 IST to 2016-05-27 17:46 IST: 0 query hits, 0 matches, 0 alerts sent
INFO:elastalert:Sleeping for 59 seconds
INFO:elastalert:Queried rule Example rule from 2016-05-27 17:46 IST to 2016-05-27 17:47 IST: 0 hits
INFO:elastalert:Ran Example rule from 2016-05-27 17:46 IST to 2016-05-27 17:47 IST: 0 query hits, 0 matches, 0 alerts sent
INFO:elastalert:Sleeping for 59 seconds
Why is it not working? It is showing hit queries to be 0. But why I don't understand.
Upvotes: 2
Views: 5141
Answers (2)
Reputation: 541
Using the "--es_debug_trace" can help like in the example given below
python -m elastalert.elastalert --verbose --rule example_frequency.yaml --es_debug_trace /opt/elastalert/runtime.log
This can help you get a look at actual cURL command being fired to get the number of hits. Here you can look at the date/time range being used to search for your filter/queries/matches.
In your case the problem was the date(IST and UTC) as mentioned by @Val in comments.
Upvotes: 3
Reputation: 365
You need to configure the timestamp in your rule (example_rules/example_frequency.yaml)
timestamp_field: "@timestamp"
and possibely :
timestamp_type
timestamp_format
-> Documentation
in addition to that, in your case, you will have the best performance with these configurations:
use_count_query: true
doc_type: blog
-> Documentation
Upvotes: 0
Related Questions
- Using next js 13 with elastic search
- elasticsearch range filter incorrect
- How to createID and pick latest n entries from the set in elasticsearch
- Getting the Double values instead of Integer using JestClient to retrieve document from elasticsearch
- ElastAlert no hits
- rails : type search with data address use elasticsearch chewy gem
- multiple query return error why?
- How to read the JSON output of a faceted search query?
- ElasticSearch doubles my _id field when filtering on it