I am trying to create an alert that shows as invalid in Elastalerts. Need help seeing why it is failing. Here is the query for the rule.
doc_type: doc
filter:
- query_string:
query: |
node_app: [hidden]
AND client_guid: "[hidden]"
AND action: DISCOVERED
index: logstash-*
type: flatline
threshold: default
timeframe:
hours: 24
aggregation:
schedule: '* 7 * * 2,3,4,5,6 *'
I have hidden values for security and privacy reasons. Please help me understand what is causing this rule to be invalid.
Thank you!