Elastalert: How to specify different run_every: values on rules

Created on 28 Apr 2016 · 18Comments · Source: Yelp/elastalert

I have some rules I want to run every 10 seconds, and some that can run only once a day. But I can't seem to find a way to override the run_every: value in the base config file. Is this currently supported?

Source

MatthewVines

👍6

Most helpful comment

Would like that feature!

amilsyb on 7 Feb 2018

👍11

All 18 comments

Not currently supported. You have to run multiple instances with two separate rules folders and two separate config files. They could both use the same elastalert_status index without problems.

Qmando on 28 Apr 2016

Thanks, is this a core philosophy issue? or something that I should look into adding to the project?

MatthewVines on 28 Apr 2016

If you want to add that, that would be awesome. The main looping code is pretty dumb now, it just runs everything and then sleeps. You could basically turn it into an async loop with each rule having it's own timing. I would definitely accept a pull request for that, it's just something I am unlikely to put the effort into at this point.

Qmando on 28 Apr 2016

Cool. It may not come soon, but I think I will be working with this tool a lot over the next few months. As I get more comfortable with it, I hope to contribute a bit.

MatthewVines on 28 Apr 2016

Excellent. I'm mostly in maintenance mode for this project at the moment but always happy to help and get pull requests. Ask in https://gitter.im/Yelp/elastalert if you have any questions.

Qmando on 28 Apr 2016

+1 This would be very helpful vs having a flood of checks then nothing.

djtecha on 25 Aug 2016

Would like that feature!

amilsyb on 7 Feb 2018

👍11

Do we have this feature now ?

bharatm89 on 30 Jul 2019

It's in the beta releases, which I'm very very close to merging with master.

Qmando on 30 Jul 2019

👍2

Hello @Qmando
Thanks for merging the beta into the master branch.
Please, can you share with us how we can actually configure the feature mentionned ealry in this thread per rule?
Thanks.

essodjolo on 7 Aug 2019

Add a different run_every to each rule's yaml. That's it.

Qmando on 8 Aug 2019

Thanks.

Essodjolo KAHANAM

---- On jeu., 08 août 2019 02:33:16 +0200 [email protected] wrote ----

Add a different run_every to each rule's yaml. That's it.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

essodjolo on 8 Aug 2019

Hello @Qmando

I've made a fresh installation of elastalert (had toubles with python 2 so did it with python3).
I'm able to start the program and my rule is loaded but I'm getting an exception after a while, and the program exits with: AttributeError: 'ElastAlerter' object has no attribute 'current_es'
Full trace

root@myserver:/opt/elastalert# python3 -m elastalert.elastalert --verbose
1 rules loaded
INFO:elastalert:Starting up
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999926 seconds
INFO:elastalert:Queried rule My rule name from 2019-08-08 13:42 CEST to 2019-08-08 13:57 CEST: 9 / 9 hits
ERROR:root:Traceback (most recent call last):
  File "/opt/elastalert/elastalert/elastalert.py", line 1259, in handle_rule_execution
    num_matches = self.run_rule(rule, endtime, rule.get('initial_starttime'))
  File "/opt/elastalert/elastalert/elastalert.py", line 900, in run_rule
    if not self.run_query(rule, rule['starttime'], endtime):
  File "/opt/elastalert/elastalert/elastalert.py", line 660, in run_query
    self.current_es.clear_scroll(scroll_id=scroll_id)
AttributeError: 'ElastAlerter' object has no attribute 'current_es'

ERROR:root:Uncaught exception running rule My rule name: 'ElastAlerter' object has no attribute 'current_es'

Could you please provide any help?
Thanks.

essodjolo on 8 Aug 2019

@Qmando
Found a solution.
Changed line 660 of elastalert/elastalert/elastalert.py to

self.thread_data.current_es.clear_scroll(scroll_id=scroll_id)

I was able to get my rule triggered and received a Slack alert.

essodjolo on 8 Aug 2019

But I would have tought that run_every directive per rule will override the one in config.yml but this is not the case for me.
Is there anything I'm missing?

run_every:
  seconds: 5

essodjolo on 8 Aug 2019

@Qmando I've faced the same issue. run_every in a rule doesn't override default one in config.
I'm using the latest version of elastalert available: 0.2.1.

Here're my config

    rules_folder: /opt/rules
    scan_subdirectories: false
    run_every:
      minutes: 3
    buffer_time:
      minutes: 10
    es_host: eshost
    es_port: 443
    writeback_index: elastalert_status
    use_ssl: True
    verify_certs: True
    alert_time_limit:
      minutes: 2880

and rules:

    name: TEST Error
    type: frequency
    index: "logs-*"
    num_events: 1
    attach_related: true
    timeframe:
      minutes: 10
    run_every:
      minutes: 10
    alert_subject: "TEST Error Occured at {0}"
    alert_subject_args:
    - "@timestamp"
    alert_text: "*Chart:* {0} *Component:* {1} *Pod:* {2}\n\n{3}"
    alert_text_args:
    - "kubernetes.labels.chart"
    - "kubernetes.labels.component"
    - "kubernetes.pod_name"
    - "log"
    filter:
      - query:
          query_string:
            query: "query_goes_here"
    alert:
      - "slack"
    slack:
    slack_webhook_url: slack_webhook_url
    slack_channel_override: "#slack-channel"

I have a list of similar rules with different queries and run_every parameter.

What's wrong here?

@essodjolo Did you manage to find the workaround except running another instance of elastalert?