elastalert: Issue with type:new_term and exceptions

Hi there, my team have been experimenting with certain logs and ElastAlert for a bit now, and trying to see if integrating these will be a viable option for us, and we’re trying to experiment with the “new_term” type in an effort to make the alerting a little bit cleaner, however, we’ve run into a weird issue with filtering on this. Unfortunately, I am not able to share many details due to confidentiality, but here’s what we’re seeing:

In type:any rules or the like, we can use something like

`filter:

• term: product.keyword: “productname”
• exists: field: “somefield”
• query: query_string: query: “severity:3 OR severity:4”
• query: query_string: query: “src: [10.0.0.0 TO 10.255.255.255] OR src: [172.16.0.0 TO 172.31.255.255]”`

And this will filter out anything non-matching. However, if we apply the exact same filters to a rule with type:new_term, the rule crashes with ElastAlert returning the following in the journalctl output:

WARNING:elasticsearch:GET https://localhost:9200/index*/_search?ignore_unavailable=true&timeout=50s [status:400 request:0.082s] Feb 20 14:03:18 server python[30778]: ERROR:root:Could not load rule /etc/elastalert/rules/rulename-new.yaml: Error initializing rule somerule 14:03:18 server python[30778]: /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made. A Feb 20 14:03:18 server python[30778]: InsecureRequestWarning, Feb 20 14:03:18 server python[30778]: /usr/lib/python2.7/site-packages/elastalert/elastalert.py:1045: YAMLLoadWarning: calling yaml.load() without Loader=... is depreca Feb 20 14:03:18 server python[30778]: rule_yaml = yaml.load(f) Feb 20 14:03:18 server python[30778]: ERROR:root:Error connecting to SMTP host:{}``

Can anyone please share if there’s a way to filter this out appropriately or if a different tactic has to be used?