Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
    Naoyuki Sano
    Vlad Vetshtein
    Hi everyone,
    Where can I find some information about why Yelp stopped using and updating elastalert?
    What is the future of elastalert? Does elastalert 2 is just a bug fix and support version, or does it have some future roadmap?
    3 replies
    Hi. Is it possible to store the credentials for http post basic auth on env variables? We are using elastalert on CI/CD and hardcoding creds on each rule seems like a bad wau to go about it

    My use case is something similar to following. I have nested array of objects warehouses and trying to filter based on the last element of the array.

    I am getting some results but not correct one. Like to know how exactly it is working though as well.

    Let's say ,

    I want to search for a product based on stocks last element of warehouse array. This is the product document looks like:

      "productId": 5,
      "productName": "Shoes",
      "warehouses": [
          "location": "Location A",
          "quantity": 100
          "location": "Location B",
          "quantity": 10
          "location": "Location C",
          "quantity": 50

    And it's mapping is :

    PUT /products
      "mappings": {
        "properties": {
          "productId": {
            "type": "integer"
          "productName": {
            "type": "text",
            "fields": {
                "raw": {
                "type": "keyword",
                "ignore_above": 256
          "warehouses": {
            "properties": {
              "location": {
                "type": "text"
              "quantity": {
                "type": "integer"  

    Let's say, I index following 7 documents:

    POST products/_bulk
    {"productId":1,"productName":"Bags","warehouses":[{"location":"Location A","quantity":20},{"location":"Location B","quantity":30},{"location":"Location C","quantity":50}]}
    {"productId":2,"productName":"Shirts","warehouses":[{"location":"Location A","quantity":100},{"location":"Location B","quantity":150},{"location":"Location C","quantity":150}]}
    {"productId":3,"productName":"Shoes","warehouses":[{"location":"Location A","quantity":100},{"location":"Location B","quantity":10},{"location":"Location C","quantity":50}]}
    {"productId":4,"productName":"Shirt","warehouses":[{"location":"Location A","quantity":100},{"location":"Location B","quantity":10},{"location":"Location C","quantity":60}, {"location":"Location F","quantity":70}]}
    {"productId":5,"productName":"Socks","warehouses":[{"location":"Location A","quantity":800},{"location":"Location B","quantity":1500},{"location":"Location Z","quantity":1000}]}
    {"productId":6,"productName":"TV","warehouses":[{"location":"Location A","quantity":20},{"location":"Location B","quantity":150},{"location":"Location C","quantity":123}]}
    {"productId":7,"productName":"Table","warehouses":[{"location":"Location A","quantity":20},{"location":"Location B","quantity":200},{"location":"Location C","quantity":140}, {"location":"Location D","quantity":123}]}
    Now I would like to search and filter products with "quantity": 123. So as per above indexed documents, I suppose to filter and get the products with id:6 and id:7, because it has the quantity: 123 as its last element.
    Here is my Painless(ful) script :
    GET /products/_search
      "query": {
        "bool": {
          "must": {
            "match_all": {}
          "filter": {
            "bool": {
              "must": {
                "script": {
                  "script": {
                    "lang": "painless",
                    "source": """
                      def x = doc['warehouses.quantity'];
                      def flag = false;
                        if(x[x.length - 2 ] == params.limit) {
                          flag = true;
                      return flag;
                    "params": {
                      "limit": 123

    so in above script I get result for id:6 which is TV product. And when I replace x[x.length - 2 ] with x[x.length - 3 ] I can get result for id:7.

    I am not sure how to get result which contains both documents , [id:6 (TV) and id:7 (Table)].

    I am using Elasticsearch version: 7.8.1.

    1 reply
    Hi guys. Can somebody say, is it possible to send alerts with elastalert to telegram when some tomcat app failing without writing modules?
    I've got an Elastalert set up to alert me when a cert is going to expire. Right now, the alert is set to go off when the certificate expires in 365d or less.
    I am monitoring 13 webpages with 13 different certificates. When the alert triggers, I the email body only contains information about 1 cert, and it is usually the same cert. What changes do I need to make so that all certs get picked up and alerted at the same time?
    name: Certificate Expiration (365 days)
    description: TLS certificate not valid in 365 days
    type: any
    index: heartbeat-*
     - range:
           gte: now
           lt: now+365d
      minutes: 1
    Hi everyone, I have a problem with elastalert. I have an index file in elastisearch with various fields.
    I would like to create a new module of elastalert which calculates the ratio.
    let me explain. I would like to calculate the ratio between all the records with (field1 = A and field2 = B and field3 = C) and the records with (field1 = A and field2 = B and field3 = Z) for a certain timeframe.
    Someone has tried to create a new module to calculate the ratio?

    Can someone explain to me what is the reason for elastalert_error index to have the following mapping, which means there is no option to filter by rule name or any other parameter by the rule?

    "data" : {
              "type" : "object",
              "enabled" : false

    Any way to change this in the elastalert configuration?

    anyone can help me with this question?
    Jabes Pauya

    hello good day, I am querying in elastalert i am using term i.e

    • term
      container.name: "sample"
    • term
      namespace.name: "testing"
    • term
      message: "level:ERROR"

    in parsed result from kibana i want to extract the level: error on the message result in kibana
    message{"namespace.name":"testing", "container.name":"level":"ERROR", xxxxx }

    can you help me?

    Hi, I did a metric aggregation sum on my data, but it's not working to alert:
    `metric_agg_key: "bytes_out"
    doc_type: "logs"
    hours: 24
    metric_agg_type: "sum"
    minutes: 0
    max_threshold: 1000000000
    is_enabled: true
    minutes: 2
    query_key: "user_email.keyword"
    allow_buffer_time_overlap: true
    • "bytes_out"
    • "user_email.keyword"`
    The query is to sum bytes_out for a specific email
    When I query and sum the bytes_out, there are emails whose sum of bytes_out is larger than 1000000000
    Is it because the query result is too large?
    There is no error from logs.
    How to access a value under an array, it returns as MISSING VALUE

    I want to get the data of the message, but it didn't succeed.

    How to access a value under an array?


    • "@timestamp"
    • service.name
    • error.exception.message

    error.exception.message format

    "error": {
    "exception": [
    "stacktrace": [
    "handled": false,
    "message": "XXXX",
    "type": "XXXX"

    ✖ E S L A M ✖
    telegram give me an erroe
    1 reply
    Error initiating alert ['slack', 'Telegram']: Could not import module Telegram: not enough values to unpack
    Hi everyone, I have a newbie question: Can I create a custom rule that create a match for each new document in an index ?
    Details: I'm using metricbeat to monitor my cluster health, i created a kibana rule that creates a document in index "elastalert-metrics" , elastalert is configured to query this index every minute. I want it to send an email for each new document (it can be 10 documents per minute). i only get one email alert every minute
    Can anyone help me please.
    I need help. There is a field in kibana logs: DateField: 2021_12_27. (Its string not date). I want to convert this to date, compare to current date and trigger an alert if difference in more than 20 days .