Email ElastAlert Not triggering on Average Aggregation query

Chennai_Cheetah · October 22, 2020, 7:15am

Mail is not triggering for my elast alert aggregator rule.

I have a Elastic DSL Query which returns me an average Response time for the API for the last 15 mins.

My objective is to fire email if the API average response time > 5sec.

In the below DSL Query response I am getting an average of 5.32. But In elastalert rules, no alerts are not generating for the same elastalert configuraiton

Rules.yaml

es_host: 100.10.10.100
es_port: 9200
es_username: elastic
es_password: elastic
name: Average ResponseTime
type: metric_aggregation
index: logstashlogs-*
bucket_interval:
minutes: 15
metric_agg_key: elapsed_time
metric_agg_type: avg
doc_type: _doc
max_threshold: 5
filter:

term:
doc.processName: CreateCustomer
term:
doc.messageType: SourceResponse

alert:

email
email:
Test1234@gmail.com
alert_subject: Avg response lapsed
alert_text: |
Testing for average response time.
alert_text_type: alert_text_only
smtp_host: 100.100.10.10
smtp_port: 25
smtp_ssl: false
from_addr: test@gmail.com
smtp_auth_file: smtp_auth_file.yaml


**Output from elastalert**

1 rules loaded
INFO:elastalert:Starting up
INFO:elastalert:Disabled rules are:
INFO:elastalert:Sleeping for 59.999888 seconds
INFO:elastalert:Ran Average ResponseTime from 2020-10-21 11:42 UTC to 2020-10-21 11:57 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
INFO:elastalert:Background configuration change check run at 2020-10-21 11:58 UTC
INFO:elastalert:Background alerts thread 0 pending alerts sent at 2020-10-21 11:58 UTC

But If I cross check in Curl I am getting average value

DSL Query

{
   "aggs":{
      "processFilter":{
         "filter":{
            "bool":{
               "should":[
                  {
                     "bool":{
                        "must":[
                           {
                              "match":{
                                 "doc.processName":"CreateCustomer"
                              }
                           },
                           {
                              "match":{
                                 "doc.messageType":"SourceResponse"
                              }
                           },
                           {
                              "range":{
                                 "@timestamp":{
                                    "gte":"now-30m/m",
                                    "lte":"now/m"
                                 }
                              }
                           }
                        ]
                     }
                  }
               ]
            }
         },
         "aggs":{
            "avg_et":{
               "avg":{
                  "field":"elapsed_time"
               }
            }
         }
      }
   }
}
**Response :**

"aggregations" : {
    "processFilter" : {
      "meta" : { },
      "doc_count" : 5,
      "**avg_et**" : {
        "value" : 5.3289999008178714
      }
    }
  }
}

spinscale · October 22, 2020, 9:51am

You might have more luck asking this in the elastalert forums/github repositories than over here, as most questions here revolve about alerting.

Chennai_Cheetah · October 22, 2020, 10:20am

Thanks Spinscale. Apologies over this post over here.

system · November 19, 2020, 10:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastalert not sending email Elasticsearch	2	3528	July 5, 2017
Integration elastalert and elasticsearch Elasticsearch	1	617	October 11, 2019
Elastalert Not sending Alerts Elasticsearch elastic-stack-alerting	1	147	June 4, 2024
Elastalert is not triggering the email notifications Logs	3	410	January 5, 2023
Config elastalert Kibana	2	692	October 2, 2019

Email ElastAlert Not triggering on Average Aggregation query

Related topics