These are chat archives for Yelp/elastalert

8th
Mar 2016
Sian Lerk Lau
@kiawin
Mar 08 2016 04:07
Hi, is type "frequency" by default searches for 15 minutes of data?
INFO:elastalert:Queried rule Example rule from 2016-03-08 03:51 UTC to 2016-03-08 04:06 UTC: 6 hits
tanyewei
@tanyewei
Mar 08 2016 05:00
name: xxx-aaa
type: "frequency"
index: xxx-*
num_events: 1
timeframe:
  minutes: 10
doc_type: "xxx"
use_count_query: true
query_delay:
  minutes: 1
alert:
  - "debug"

run_every = 2 minute
Logs:

At least 1 events occurred between 2016-03-08 12:35 CST and 2016-03-08 12:45 CST
At least 1 events occurred between 2016-03-08 12:37 CST and 2016-03-08 12:47 CST
At least 1 events occurred between 2016-03-08 12:38 CST and 2016-03-08 12:48 CST
At least 1 events occurred between 2016-03-08 12:40 CST and 2016-03-08 12:50 CST
At least 1 events occurred between 2016-03-08 12:42 CST and 2016-03-08 12:52 CST
At least 1 events occurred between 2016-03-08 12:44 CST and 2016-03-08 12:54 CST

Why call alarm every two minutes?

Is there something wrong?
Sian Lerk Lau
@kiawin
Mar 08 2016 05:05
@tanyewei looks like it matches your rules, hence alert was triggered. i think
sunilmchaudhari
@sunilmchaudhari
Mar 08 2016 05:05
is there anybody to help me out?
I am facing blist dependency issue while running elasAlert
basically why elastAlert need blist? Can we skip blist and use elastalert? how to skip that?
tanyewei
@tanyewei
Mar 08 2016 05:13
@kiawin So. The option timeframe it's doesn't work?
Sian Lerk Lau
@kiawin
Mar 08 2016 05:16
@tanyewei i think the timeframe is the search range
not the wait time between rule validation execution
tanyewei
@tanyewei
Mar 08 2016 05:17
@kiawin run_every is search range
sunilmchaudhari
@sunilmchaudhari
Mar 08 2016 05:17
@tanyewei , I guess you asked elastAlert to run every 2 minutes in config.yaml in ElastAlert-home deirectory, thats why it runs every 2 minutes. There is no wrong in your configuration. I guess!
@tanyewei timeframe is responsible for the duration in which number of events logged. It comes in picture in case of frequency rule_type.
Sian Lerk Lau
@kiawin
Mar 08 2016 05:19
for frequency type, timeframe is the time that num_events must occur within.
tanyewei
@tanyewei
Mar 08 2016 05:21
@sunilmchaudhari What's the relationship between timeframe and run_every
Sian Lerk Lau
@kiawin
Mar 08 2016 05:21
@sunilmchaudhari by any chance you know how can i limit the query by elastalert, let's say i use frequency type, timeframe is 2 hours, hence i just want elastalert to query for 2 hours of data
@tanyewei run_every defines how frequent will elastalert run the rule validation, while timeframe definition is depending on the "type" of rule, e.g. frequency
sunilmchaudhari
@sunilmchaudhari
Mar 08 2016 05:31
@kiawin , In your case, hows that if you set run_every 24 hours? Try this.
Sian Lerk Lau
@kiawin
Mar 08 2016 05:31
oh? i wish to run every 2 hours actually. hahaha
sunilmchaudhari
@sunilmchaudhari
Mar 08 2016 05:33
@kiawin , you said your timeframe is 2 hrs. So you want logs in between those 2 hrs only. And you want logs between that time duration. correct? your line :smile: ) "hence i just want elastalert to query for 2 hours of data"
Sian Lerk Lau
@kiawin
Mar 08 2016 05:34
yup you are right :D
tanyewei
@tanyewei
Mar 08 2016 05:37
@kiawin If use use_count_query.There will call alarm every two minutes
Sian Lerk Lau
@kiawin
Mar 08 2016 05:39
@tanyewei i guess it matches, that is why it triggers alert
tanyewei
@tanyewei
Mar 08 2016 05:59
@kiawin Frequency type cannot use use_count_query?
Sian Lerk Lau
@kiawin
Mar 08 2016 06:09
we can use use_count_query for frequency type
tanyewei
@tanyewei
Mar 08 2016 06:17
@kiawin How?
Sian Lerk Lau
@kiawin
Mar 08 2016 06:19
you can set use_count_query to true
then set doc_type to the value of _type in your elk record entry
tanyewei
@tanyewei
Mar 08 2016 06:24
@kiawin It will call alert as run_every value.
Sian Lerk Lau
@kiawin
Mar 08 2016 06:26
@tanyewei if alert is triggered, that is because it meets your criteria of matching 1 record.
tanyewei
@tanyewei
Mar 08 2016 06:39
@kiawin So what is timeframe useful
Sian Lerk Lau
@kiawin
Mar 08 2016 06:48
@tanyewei it's all depending on what you wish to detect. you define it in your filter
sunilmchaudhari
@sunilmchaudhari
Mar 08 2016 06:57
How to install elastAlert offline?
Quentin Long
@Qmando
Mar 08 2016 19:05
@tanyewei : timeframe is meaningless if you have `num_events: 1``. The frequency type means "num_events documents in timeframe time" so if num_events is 1, the timeframe doesn't matter.
You want to set realert to prevent alerts from going off back to back