These are chat archives for Yelp/elastalert

6th
Oct 2017
Quentin Long
@Qmando
Oct 06 2017 00:25
@manya12 Linking to Kibana only works with kibana 3 and 4 and it's super super basic. barely better than just adding a static link in the alert_text
phlll-f
@phlll-f
Oct 06 2017 13:24

When I run this basic query_string filter I receive a match: filter:

- query:
     query_string:
         query: "message: *APC*"

INFO:elastalert:Alert for Test email rule TWO, <44>Oct 5 17:53:59 <HOSTNAME REMOVED> APC: Test Syslog. at 2017-10-05T15:57:27.039Z:
INFO:elastalert:Test email rule TWO

manya12
@manya12
Oct 06 2017 13:25
@Qmando But i have kibana 5.3.0 .
phlll-f
@phlll-f
Oct 06 2017 13:26

However when I expand it to search for more strings using OR I receive no matches even though the original query is still included: filter:

- query:
     query_string:
         query: "message: *APC* OR message: *UPS: On battery power* OR message: *UPS: No longer on battery power*"

INFO:elastalert:Queried rule Test email rule TWO from 2017-10-06 13:13 CEST to 2017-10-06 13:28 CEST: 0 / 0 hits

manya12
@manya12
Oct 06 2017 13:26
Is it possible to give it's link in elastalert email text?
phlll-f
@phlll-f
Oct 06 2017 13:30
Running elasticsearch 5.6.1
Does anyone here know why I don't get a match when using the second filter ?
Quentin Long
@Qmando
Oct 06 2017 17:14
@phlll-f The message: *UPS: On battery power* doesn't do quite what you expect I think. It actually means "Does message contain *UPS OR does "on" appear anywhere OR does "battery" appear anywhere OR does "power" appear anywhere. That being said, this should only return more results, not less. Do you definitely have a matching document in the time period queried?
If you try running elastalert-test-rule --count-only --days 1 your_rule.yaml it will be a quick way to see how many total documents your filters match from the last 24 hours
@manya12 You have to put a static link into the alert_text
There's no support for "smart" kibana 5 links