How to check if a keyword exists in elastalert

Chel_Db · July 4, 2023, 5:05pm

I wanted to send out an alert to our slack channel if a there is an indexing error or the number of events > 20 for last 10 minutes. Below is my elastalert yaml configuration.

influx_indexing_error_slack_message_rule: |-
    ---
    es_host: elk.org.my.com
    es_port: 9200 
    name: failure message
    index: logstash-influxdb*
    type: frequency
    num_events: 20
    timeframe:
      minutes: 10
    realert:
      minutes: 15
    filter:
    - exists:
        field: "error.keyword"
    alert:
    - "slack"
       slack related detail

Will this work real time ? I don't see much of a documentation covering the exists conditions, hence reached out to you experts here.

I went thru - Writing Filters For Rules — ElastAlert 0.0.1 documentation

stephenb · July 4, 2023, 5:10pm

Hi @Chel_Db

Elastalert is not part of the Elastic Stack so you really need to go to their forums to ask questions... We are not experts on that.

If you have questions on the built in Alerting framework we are happy to help with that!

Chel_Db · July 4, 2023, 5:14pm

My bad, thanks @stephenb . I will reach out to them.

system · August 1, 2023, 5:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Slack with logstash and elastalert Logstash	4	1501	January 1, 2018
Kibana Error Alerting - Filter Similiar Error Messages \| Similarity Query [Elastalert] Kibana	3	540	February 26, 2021
Message.keyword does not exists Beats	5	1865	June 12, 2019
Logstash pipeline check for index Logstash	5	1109	April 16, 2020
About Elastalert errors Elasticsearch	2	480	May 1, 2023

How to check if a keyword exists in elastalert

Related topics