ElastAlert : multiple query against multiple indices in same rule file

Hi,
I have created 2 separate rule files , which are as follows:-
//--------------------------------------------------------
realert:
  minutes: 5
from_addr: test@email.com
es_host: xx.xx.xxx.xx
index: topbeat-*
smtp_host: ismtp.corp.company.com
type: frequency
es_port: 9200
filter:
 - range:
    mem.used_p:
      from: 0.70
      to: 1.0
 - term:
    beat.hostname: xxxxx
timeframe:
  minutes: 30
alert: email
name: 9__server__xxxxx__mem.used_p__0.70__30
email: ["user@email.com"]
num_events: 1
//------------------------------------------------------------
//------------------------------------------------------------
realert:
  minutes: 5
from_addr: test@email.com
es_host: xx.xx.xxx.xx
index: packetbeat-*
smtp_host: ismtp.corp.company.com
type: frequency
es_port: 9200
filter:
 - term:
    http.code: 404
 - term:
    beat.hostname: yyyyy
timeframe:
  minutes: 30
alert: email
name: 25__app__yyyyy__http.code__404__1__30
email: ["user@email.com"]
num_events: 1
//------------------------------------------------------------

Both rule files are generating emails as per their definition.

Is there any way to have these two rule files as a single rule file.
where I might need to define, index:topbeat-,packetbeat-
Then in that case how I need to write filters, so that mem.used_p is queried against topbeat-* for server xxxxx and http.code is queried against packetbeat-* for server yyyyy. ???

Hi,
Can anybody please reply for the above issue.
Is it possible in elastalert that we query topbeat-* index for some condition1
and packetbeat-* index for some other condition2, and generate mail only if both condtion are satisfied.
If yes, then what will be the syntax for that approach ??

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.