Troubleshooting Elastalerts

I am trying to create an alert that shows as invalid in Elastalerts. Need help seeing why it is failing. Here is the query for the rule.

doc_type: doc
filter:
- query_string:
    query: |
      node_app: [hidden]
      AND client_guid: "[hidden]"
      AND action: DISCOVERED 
index: logstash-*
type: flatline
threshold: default
timeframe: 
    hours: 24
aggregation:
    schedule: '* 7 * * 2,3,4,5,6 *'

I have hidden values for security and privacy reasons. Please help me understand what is causing this rule to be invalid.

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.