Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Naoyuki Sano
    @nsano-rururu
    Vlad Vetshtein
    @vvvlad
    Hi everyone,
    Where can I find some information about why Yelp stopped using and updating elastalert?
    What is the future of elastalert? Does elastalert 2 is just a bug fix and support version, or does it have some future roadmap?
    3 replies
    tl-Bruno-Braga
    @tl-Bruno-Braga
    Hi. Is it possible to store the credentials for http post basic auth on env variables? We are using elastalert on CI/CD and hardcoding creds on each rule seems like a bad wau to go about it
    Aniket
    @ani2fun

    My use case is something similar to following. I have nested array of objects warehouses and trying to filter based on the last element of the array.

    I am getting some results but not correct one. Like to know how exactly it is working though as well.

    Let's say ,

    I want to search for a product based on stocks last element of warehouse array. This is the product document looks like:

    {
      "productId": 5,
      "productName": "Shoes",
      "warehouses": [
        {
          "location": "Location A",
          "quantity": 100
        },
        {
          "location": "Location B",
          "quantity": 10
        },
        {
          "location": "Location C",
          "quantity": 50
        }
      ]
    }

    And it's mapping is :

    PUT /products
    {
      "mappings": {
        "properties": {
          "productId": {
            "type": "integer"
          },
          "productName": {
            "type": "text",
            "fields": {
                "raw": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "warehouses": {
            "properties": {
              "location": {
                "type": "text"
              },
              "quantity": {
                "type": "integer"  
              }
            }
          }
        }
      }
    }

    Let's say, I index following 7 documents:

    POST products/_bulk
    {"index":{"_id":1}}
    {"productId":1,"productName":"Bags","warehouses":[{"location":"Location A","quantity":20},{"location":"Location B","quantity":30},{"location":"Location C","quantity":50}]}
    {"index":{"_id":2}}
    {"productId":2,"productName":"Shirts","warehouses":[{"location":"Location A","quantity":100},{"location":"Location B","quantity":150},{"location":"Location C","quantity":150}]}
    {"index":{"_id":3}}
    {"productId":3,"productName":"Shoes","warehouses":[{"location":"Location A","quantity":100},{"location":"Location B","quantity":10},{"location":"Location C","quantity":50}]}
    {"index":{"_id":4}}
    {"productId":4,"productName":"Shirt","warehouses":[{"location":"Location A","quantity":100},{"location":"Location B","quantity":10},{"location":"Location C","quantity":60}, {"location":"Location F","quantity":70}]}
    {"index":{"_id":5}}
    {"productId":5,"productName":"Socks","warehouses":[{"location":"Location A","quantity":800},{"location":"Location B","quantity":1500},{"location":"Location Z","quantity":1000}]}
    {"index":{"_id":6}}
    {"productId":6,"productName":"TV","warehouses":[{"location":"Location A","quantity":20},{"location":"Location B","quantity":150},{"location":"Location C","quantity":123}]}
    {"index":{"_id":7}}
    {"productId":7,"productName":"Table","warehouses":[{"location":"Location A","quantity":20},{"location":"Location B","quantity":200},{"location":"Location C","quantity":140}, {"location":"Location D","quantity":123}]}
    Now I would like to search and filter products with "quantity": 123. So as per above indexed documents, I suppose to filter and get the products with id:6 and id:7, because it has the quantity: 123 as its last element.
    
    Here is my Painless(ful) script :
    
    GET /products/_search
    {
      "query": {
        "bool": {
          "must": {
            "match_all": {}
          },
          "filter": {
            "bool": {
              "must": {
                "script": {
                  "script": {
                    "lang": "painless",
                    "source": """
                      def x = doc['warehouses.quantity'];
    
                      def flag = false;
                        if(x[x.length - 2 ] == params.limit) {
                          flag = true;
                        }
    
                      return flag;
                    """,
                    "params": {
                      "limit": 123
                    }
                  }
                }
              }
            }
          }
        }
      }
    }

    so in above script I get result for id:6 which is TV product. And when I replace x[x.length - 2 ] with x[x.length - 3 ] I can get result for id:7.

    I am not sure how to get result which contains both documents , [id:6 (TV) and id:7 (Table)].

    I am using Elasticsearch version: 7.8.1.

    1 reply
    sudores
    @sudores
    Hi guys. Can somebody say, is it possible to send alerts with elastalert to telegram when some tomcat app failing without writing modules?
    gittanner
    @gittanner
    I've got an Elastalert set up to alert me when a cert is going to expire. Right now, the alert is set to go off when the certificate expires in 365d or less.
    I am monitoring 13 webpages with 13 different certificates. When the alert triggers, I the email body only contains information about 1 cert, and it is usually the same cert. What changes do I need to make so that all certs get picked up and alerted at the same time?
    name: Certificate Expiration (365 days)
    description: TLS certificate not valid in 365 days
    type: any
    index: heartbeat-*
    filter:
     - range:
         tls.server.x509.not_after:
           gte: now
           lt: now+365d
    realert:
      minutes: 1
    maxbruso
    @maxbruso
    Hi everyone, I have a problem with elastalert. I have an index file in elastisearch with various fields.
    I would like to create a new module of elastalert which calculates the ratio.
    let me explain. I would like to calculate the ratio between all the records with (field1 = A and field2 = B and field3 = C) and the records with (field1 = A and field2 = B and field3 = Z) for a certain timeframe.
    Someone has tried to create a new module to calculate the ratio?
    vvvlad
    @vvvlad_twitter

    Hi,
    Can someone explain to me what is the reason for elastalert_error index to have the following mapping, which means there is no option to filter by rule name or any other parameter by the rule?

    "data" : {
              "type" : "object",
              "enabled" : false
            }

    Any way to change this in the elastalert configuration?
    Thanks!

    vvvlad
    @vvvlad_twitter
    anyone can help me with this question?
    Jabes Pauya
    @yabetsu93

    hello good day, I am querying in elastalert i am using term i.e
    filter

    • term
      container.name: "sample"
    • term
      namespace.name: "testing"
    • term
      message: "level:ERROR"

    in parsed result from kibana i want to extract the level: error on the message result in kibana
    example
    message{"namespace.name":"testing", "container.name":"level":"ERROR", xxxxx }

    can you help me?

    kaihua-liu-exa
    @kaihua-liu-exa
    Hi, I did a metric aggregation sum on my data, but it's not working to alert:
    `metric_agg_key: "bytes_out"
    doc_type: "logs"
    buffer_time:
    hours: 24
    metric_agg_type: "sum"
    realert:
    minutes: 0
    max_threshold: 1000000000
    is_enabled: true
    query_delay:
    minutes: 2
    query_key: "user_email.keyword"
    allow_buffer_time_overlap: true
    top_count_keys:
    • "bytes_out"
    • "user_email.keyword"`
    The query is to sum bytes_out for a specific email
    When I query and sum the bytes_out, there are emails whose sum of bytes_out is larger than 1000000000
    Is it because the query result is too large?
    There is no error from logs.
    wajika
    @wajika
    How to access a value under an array, it returns as MISSING VALUE

    I want to get the data of the message, but it didn't succeed.

    How to access a value under an array?

    alert_text_args:

    • "@timestamp"
    • service.name
    • error.exception.message

    error.exception.message format

    "error": {
    "exception": [
    {
    "stacktrace": [
    XXXXXX
    ......
    ],
    "handled": false,
    "message": "XXXX",
    "type": "XXXX"
    }
    ]
    }

    ✖ E S L A M ✖
    @eslammalii_twitter
    telegram give me an erroe
    1 reply
    error
    Error initiating alert ['slack', 'Telegram']: Could not import module Telegram: not enough values to unpack
    dabenamor
    @dabenamor
    Hi everyone, I have a newbie question: Can I create a custom rule that create a match for each new document in an index ?
    Details: I'm using metricbeat to monitor my cluster health, i created a kibana rule that creates a document in index "elastalert-metrics" , elastalert is configured to query this index every minute. I want it to send an email for each new document (it can be 10 documents per minute). i only get one email alert every minute
    Can anyone help me please.
    Thanks
    image.png
    elastalert214
    @elastalert214:matrix.org
    [m]
    I need help. There is a field in kibana logs: DateField: 2021_12_27. (Its string not date). I want to convert this to date, compare to current date and trigger an alert if difference in more than 20 days .