I'm doing some testing with elastalert 0.0.80. I made some changes to my test alert and then started seeing stderr output like this. I think I did change the aggregation originally from a schedule to 15 minutes before this first started happening:
INFO:elastalert:Starting up
INFO:elastalert:Queried rule Monitor - TEST from 2016-05-19 16:13 EDT to 2016-05-20 16:13 EDT: 8454 hits
INFO:elastalert:New aggregation for Monitor - TEST. next alert at 2016-05-19 20:28:57.650000+00:00.
INFO:elastalert:Ignoring match for silenced rule Monitor - TEST
INFO:elastalert:Ignoring match for silenced rule Monitor - TEST
INFO:elastalert:Ignoring match for silenced rule Monitor - TEST
INFO:elastalert:Ignoring match for silenced rule Monitor - TEST
INFO:elastalert:Ignoring match for silenced rule Monitor - TEST
...
How did my rule get 'silenced' and what does that mean? I tried to reset this condition by renaming the rule and deleting the elastalert_status index and recreating it but it still gives me these messages.
This is my rule:
name: Monitor - TEST
type: frequency
index: logstash-%Y.%m.%d
use_strftime_index: true
num_events: 1
timeframe:
minutes: 15
aggregation:
minutes: 15
filter:
- query:
query_string:
query: 'type:userlog AND userName:montest*'
alert:
- email
email:
- testmon
PMDubuc
All 2 comments
By default, you will only get one alert per rule per minute. This is because the default value for realert is minutes: 1. You can set this to 0 to get every alert.
Qmando
on 23 May 2016
Thank you!
PMDubuc
on 23 May 2016
Related issues
abhishekjiitr
路
3Comments
Shashankft9
路
3Comments
shaohk
路
4Comments
otisonoza
路
4Comments
MaximilianKaltner
路
3Comments
Most helpful comment
By default, you will only get one alert per rule per minute. This is because the default value for
realertisminutes: 1. You can set this to 0 to get every alert.