Can use multiple field in compare_key?

Two questions:

  1. Does below elastalert rule is correct to get a cumulative data in "system.network.in.dropped"?
  2. Can we use two fields in compare_key? we tried but did not work means when have both fields then do not send a elastalert.
    Example,
    compare_key: ["system.network.in.dropped OR "system.network.out.dropped"]

Using below code:
name: Metricbeat - [Net]In/Out Network Packet Dropped
type: change

es_host: 10.1.1.20
es_port: 9200

index: metricbeat-*

How often ElastAlert will query elasticsearch

run_every:
minutes: 2

ElastAlert will buffer results from the most recent

buffer_time:
minutes: 15

#bucket_interval:

minutes: 15

realert:
minutes: 10

compare_key: "system.network.in.dropped"

ignore_null: true

query_key: "system.network.name"
doc_type: _doc

sync_bucket_interval: true

filter:

  • query:
    query_string:
    query: "metricset.name:network AND host.name:test124"
  • query:
    query_string:
    query: "system.network.in.dropped:(>0) OR system.network.out.dropped:(>0)"

hi @shilpa,

this is probably the wrong forum for an ElastAlert question. The project is hosted here: https://github.com/Yelp/elastalert/issues

Thank you Thomas.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.