Reputation: 379
Query a specific time-range and alert at specific time of the day
I need to run a rule at 2 am, querying logs from 0 to 2 am, and alert if matches are found.
So far all the rules I created are frequency rules, but I don't know how to achieve the specific time range for the query, and a specific time for the alert, can someone please help?
(I guess the ANY type could let me add my time range as part of the filter....but then how can I run the rule at 2 am every day?)
Upvotes: 2
Views: 2463
Answers (3)
Reputation: 16
if you want your alert to be effective for specific hours only, you can create an enhancement that drop the alert if the current time doesnt match your needs check https://elastalert.readthedocs.io/en/latest/recipes/adding_enhancements.html
regards
Upvotes: 0
Reputation: 946
The now is take the time of the server.
filter:
- range:
"@timestamp":
"from": "now-2h"
"to": "now"
Upvotes: 0
Reputation: 1
In UTC:
filter:
range:
"@timestamp":
gte: "now/d+0h"
lt: "now/d+2h"
Upvotes: 0
Related Questions
- query by timestamp range not working unless with keyword
- Customize the information in an alert received by elastalert plugin for elasticsearch
- How to use html in elastalert?
- ElastAlert range query is not sending alert emails even though the alert condition is met
- Turned off Elastalert for a couple days, now its querying all data since I turned it off
- Timestamp regexp in Elasticsearch
- Elastalert Blacklist alert giving traceback errors
- ElastAlert no hits