ElastAlert filter not worked as expected

Question

I have installed elastAlert. Below is my config and yaml file configuration:

Config file :

rules_folder: rules

run_every:

minutes: 15

buffer_time:

minutes: 15

es_host: ip_address(#####)

es_port: 9200

writeback_index: elastalert_status

writeback_alias: elastalert_alerts

alert_time_limit:

days: 2 logging: version: 1

incremental: false

disable_existing_loggers: false

formatters:

logline:

  format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'

handlers:

  console:
    class: logging.StreamHandler
    formatter: logline
    level: DEBUG
    stream: ext://sys.stderr
  file:
    class : logging.FileHandler
    formatter: logline
    level: DEBUG
    filename: elastalert.log
loggers:
  elastalert:
    level: WARN
    handlers: []
    propagate: true
  elasticsearch:
    level: WARN
    handlers: []
    propagate: true

Example_frequency.yamlfile:

es_host: ip adress(####)

es_port: 9200

name: FaultExceptions

type: frequency

index: logstash_*

num_events: 5

timeframe:

minutes: 15

filter:

-query:

query_string:

    query: "ErrorGroup: Fault Exception"

alert: -"email"

email: -"abc@gmail.com"

I am getting the mail in each 15 min but that data does not match with filter where ErrorGroup name should be Fault Exception. Please help me to understand this as I am working on this since last 4 days, Thanks in advance.

Answer 1

Hope not very late, but yes use --es_debug_trace command line option. It helps to see exact query being sent in curl:

python3 -m elastalert.elastalert --verbose --rule your_rule_to_test.yaml --es_debug_trace /tmp/elastalert_curl.log

The curl command in /tmp/elastalert_curl.log can then be fired in terminal to see the output or tweaked to see what went wrong. You can use Kibana Dev Tools to then check the curl command and test. Also confirm ErrorGroup is at the root level of the document index and try ErrorGroup.keyword.