I am using below parameters in frequency rule type but realert is not working on specified time duration. I have mentioned relaert with hours : 1 and queary_key : "Hostname" ie since realert is 1 hour I assume it should aggregate records based on hostname field for the hour (assume from 9:00 to 10:00) and as num_events : 1 hence it should raise only one alarm per hostname eventhough hostname have more events in that hr. it is working as expected. But if the event comes after one hr ie at 10:25, the alarm is not getting generated. currently I haven't configured any alert notification. I can see them are supressed in console.
rule file has:
es_host: localhost
es_port: 9200
rules_folder : "D:\elastalert-master\example_rules"
buffer_time :
hours : 4
timeframe:
days : 4
writeback_index : test_elastalert1
name: test5 rule
type: frequency
timestamp_field: "time"
index: test_elastalert1
num_events: 1
aggregation:
#minutes: 10
days : 1
aggregation_key : "Hostname"
query_key : "Hostname"
realert :
hours : 1
filter:
- query:
match :
"event_message" : "Ping"
alert: "email"
alert_subject: "Issue is occurred "
alert_info: "event from "
elastalert-test-rule
D:\elastalert-master\example_rules>elastalert-test-rule test5.yaml
Successfully loaded test5 rule
Got 4 hits from the last 1 day
Available terms in first hit:
event_message
event_sev
Hostname
event_source
time
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
INFO:elastalert:Queried rule test5 rule from 2018-12-16 14:13 Central Standard Time to 2018-12-16 18:13 Central Standard Time: 0 / 0 hits
INFO:elastalert:Queried rule test5 rule from 2018-12-16 18:13 Central Standard Time to 2018-12-16 22:13 Central Standard Time: 0 / 0 hits
INFO:elastalert:Queried rule test5 rule from 2018-12-16 22:13 Central Standard Time to 2018-12-17 02:13 Central Standard Time: 0 / 0 hits
INFO:elastalert:Queried rule test5 rule from 2018-12-17 02:13 Central Standard Time to 2018-12-17 06:13 Central Standard Time: 0 / 0 hits
INFO:elastalert:Queried rule test5 rule from 2018-12-17 06:13 Central Standard Time to 2018-12-17 10:13 Central Standard Time: 4 / 4 hits
INFO:elastalert:Queried rule test5 rule from 2018-12-17 10:13 Central Standard Time to 2018-12-17 14:13 Central Standard Time: 0 / 0 hits
INFO:elastalert:New aggregation for test5 rule, aggregation_key: lv00001. next alert at 2018-12-18 20:13:44.943000+00:00.
INFO:elastalert:Ignoring match for silenced rule test5 rule.lv00001
INFO:elastalert:New aggregation for test5 rule, aggregation_key: lv00002. next alert at 2018-12-18 20:13:44.950000+00:00.
INFO:elastalert:Ignoring match for silenced rule test5 rule.lv00002
Would have written the following documents to writeback index (default is elastalert_status):
silence - {'rule_name': u'test5 rule.lv00001', '@timestamp': datetime.datetime(2018, 12, 17, 20, 13, 44, 938000, tzinfo=tzutc()), 'exponent': 0, 'until': d
atetime.datetime(2018, 12, 17, 21, 13, 44, 938000, tzinfo=tzutc())}
elastalert - {'alert_info': {}, 'alert_sent': False, 'match_body': {'_type': u'record', u'event_source': u'BPPM', '_index': u'test_elastalert1', 'num_hits'
: 4, u'event_sev': u'Critical', u'Hostname': u'lv00001', u'event_message': u'ping response is failed ', u'time': '2018-12-17T13:01:04.572Z', 'num_matches':
4, '_id': u'9'}, 'rule_name': 'test5 rule', 'match_time': '2018-12-17T13:01:04.572Z', 'alert_time': datetime.datetime(2018, 12, 18, 20, 13, 44, 943000, tz
info=tzutc()), 'aggregation_key': u'lv00001', 'alert_exception': None}
silence - {'rule_name': u'test5 rule.lv00002', '@timestamp': datetime.datetime(2018, 12, 17, 20, 13, 44, 949000, tzinfo=tzutc()), 'exponent': 0, 'until': d
atetime.datetime(2018, 12, 17, 21, 13, 44, 949000, tzinfo=tzutc())}
elastalert - {'alert_info': {}, 'alert_sent': False, 'match_body': {'_type': u'record', u'event_source': u'DYNA', '_index': u'test_elastalert1', 'num_hits'
: 4, u'event_sev': u'Critical', u'Hostname': u'lv00002', u'event_message': u'ping response is failed ', u'time': '2018-12-17T13:05:27.706Z', 'num_matches':
4, '_id': u'13'}, 'rule_name': 'test5 rule', 'match_time': '2018-12-17T13:05:27.706Z', 'alert_time': datetime.datetime(2018, 12, 18, 20, 13, 44, 950000, t
zinfo=tzutc()), 'aggregation_key': u'lv00002', 'alert_exception': None}
elastalert_status - {'hits': 4, 'matches': 4, '@timestamp': datetime.datetime(2018, 12, 17, 20, 13, 44, 952000, tzinfo=tzutc()), 'rule_name': 'test5 rule',
'starttime': datetime.datetime(2018, 12, 16, 20, 13, 44, 869000, tzinfo=tzutc()), 'endtime': datetime.datetime(2018, 12, 17, 20, 13, 44, 869000, tzinfo=tz
utc()), 'time_taken': 0.06799983978271484}
D:\elastalert-master\example_rules>