These are chat archives for Yelp/elastalert

5th
Apr 2016
sunilmchaudhari
@sunilmchaudhari
Apr 05 2016 07:14

Hi,
I am using elastAlert. I can see elastalert_status index in Kibana.
There are many fields of elastalert. However I want to see queries its hitting to ES. I learnt that I can modify rules at runtime and it bahaves accordingly.
So I removed one query from rule.yaml and wanted to check if it really removed or not.
Can I see those queries in Kibana under elastalert_status index?

br,
Sunil

Quentin Long
@Qmando
Apr 05 2016 21:48
And yes, removing a file will stop the alert from running
@apanimesh061 ElastAlert queries for timestamped data, so you probably want to just alert on everything that's 10+ hours old. Try
query_delay:
  hours: 10
type: any
Although, new things would eventually become 10 hours old.
Every query elastalert makes has a time range associated with it. If you are trying to just make queries without any time constraints, elastalert might not cover that use case
Quentin Long
@Qmando
Apr 05 2016 22:11
You might have to write your own rule type for that, http://elastalert.readthedocs.org/en/latest/recipes/adding_rules.html