These are chat archives for Yelp/elastalert
When I run this basic query_string filter I receive a match: filter:
- query: query_string: query: "message: *APC*"
INFO:elastalert:Alert for Test email rule TWO, <44>Oct 5 17:53:59 <HOSTNAME REMOVED> APC: Test Syslog. at 2017-10-05T15:57:27.039Z:
INFO:elastalert:Test email rule TWO
However when I expand it to search for more strings using OR I receive no matches even though the original query is still included: filter:
- query: query_string: query: "message: *APC* OR message: *UPS: On battery power* OR message: *UPS: No longer on battery power*"
INFO:elastalert:Queried rule Test email rule TWO from 2017-10-06 13:13 CEST to 2017-10-06 13:28 CEST: 0 / 0 hits
message: *UPS: On battery power*doesn't do quite what you expect I think. It actually means "Does message contain *UPS OR does "on" appear anywhere OR does "battery" appear anywhere OR does "power" appear anywhere. That being said, this should only return more results, not less. Do you definitely have a matching document in the time period queried?
elastalert-test-rule --count-only --days 1 your_rule.yamlit will be a quick way to see how many total documents your filters match from the last 24 hours