elastalert: Simple query doesn't work

Hi guys, I’m trying to create a rule in elastalert with a simple query and nothing seems to work. I have a created a new index in kibana and every 5 minutes it creates this output when a machine is at 100% CPU: `

Apr 3, 2021 @ 12:51:16.293 alert_date:Apr 3, 2021 @ 12:51:16.293 alert_id:24552320-92b4-11eb-8efd-f12d1f97a6d4 alert_instance_id:--*** alert_state:ALERT context_reason:system.cpu.total.norm.pct is greater than a threshold of 90% (current value is 100%) context_value:{“condition0”:“100%”} _id:2BYkl3gBM84OhRZn0x5M _index:metric-alerts _score: - _type:_doc

` I’ve tried multiple rules search queries and this is my last version, trying to set up an alert for each of the above outputs, using the term “ALERT”:

name: query metric alerts

type: any

index: metric*

filter:
- query:
    simple_query_string:
      query: "ALERT"

alert:
- "slack"

slack:
slack_webhook_url: "https://hooks.slack.com/services/**********"

 (required, email specific)
"example_rules/query_metric_alerts.yaml" 29L, 455C

When I run the rule all I get is this:

# python3 -m elastalert.elastalert --verbose --rule query_metric_alerts.yaml
1 rules loaded
INFO:elastalert:Starting up
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999908 seconds
INFO:elastalert:Queried rule query metric alerts from 2021-04-03 05:42 EDT to 2021-04-03 05:57 EDT: 0 / 0 hits
INFO:elastalert:Ran query metric alerts from 2021-04-03 05:42 EDT to 2021-04-03 05:57 EDT: 0 query hits (0 already seen), 0 matches, 0 alerts sent
INFO:elastalert:Background configuration change check run at 2021-04-03 05:57 EDT
INFO:elastalert:Background alerts thread 0 pending alerts sent at 2021-04-03 05:57 EDT
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999809 seconds
INFO:elastalert:Queried rule query metric alerts from 2021-04-03 05:43 EDT to 2021-04-03 05:58 EDT: 0 / 0 hits
INFO:elastalert:Ran query metric alerts from 2021-04-03 05:43 EDT to 2021-04-03 05:58 EDT: 0 query hits (0 already seen), 0 matches, 0 alerts sent

Slack alert is working properly, I have tested it.

Any thoughts? Many thanks

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 21 (10 by maintainers)

Most upvoted comments

This has been resolved. Timestamp was the culprit.

+2
keny2021 on Apr 26, 2021

@keny2021

Is that so. Please do your best.

+1
nsano-rururu on Apr 7, 2021
Read more comments on GitHub
← elastalert: search() got an unexpected keyword argument 'doc_type'
swagger-gradle-codegen: Unable to load class 'org.gradle.kotlin.dsl.precompile.v1.PrecompiledProjectScript'. →