These are chat archives for Yelp/elastalert

Apr 2016
Apr 05 2016 07:14

I am using elastAlert. I can see elastalert_status index in Kibana.
There are many fields of elastalert. However I want to see queries its hitting to ES. I learnt that I can modify rules at runtime and it bahaves accordingly.
So I removed one query from rule.yaml and wanted to check if it really removed or not.
Can I see those queries in Kibana under elastalert_status index?


Quentin Long
Apr 05 2016 21:48
And yes, removing a file will stop the alert from running
@apanimesh061 ElastAlert queries for timestamped data, so you probably want to just alert on everything that's 10+ hours old. Try
  hours: 10
type: any
Although, new things would eventually become 10 hours old.
Every query elastalert makes has a time range associated with it. If you are trying to just make queries without any time constraints, elastalert might not cover that use case
Quentin Long
Apr 05 2016 22:11
You might have to write your own rule type for that,