Two questions:
- Does below elastalert rule is correct to get a cumulative data in "system.network.in.dropped"?
- Can we use two fields in compare_key? we tried but did not work means when have both fields then do not send a elastalert.
Example,
compare_key: ["system.network.in.dropped OR "system.network.out.dropped"]
Using below code:
name: Metricbeat - [Net]In/Out Network Packet Dropped
type: change
es_host: 10.1.1.20
es_port: 9200
index: metricbeat-*
How often ElastAlert will query elasticsearch
run_every:
minutes: 2
ElastAlert will buffer results from the most recent
buffer_time:
minutes: 15
#bucket_interval:
minutes: 15
realert:
minutes: 10
compare_key: "system.network.in.dropped"
ignore_null: true
query_key: "system.network.name"
doc_type: _doc
sync_bucket_interval: true
filter:
- query:
query_string:
query: "metricset.name:network AND host.name:test124" - query:
query_string:
query: "system.network.in.dropped:(>0) OR system.network.out.dropped:(>0)"