Elastalert: Matches is not 0, but 0 alerts sent

Created on 11 May 2017  路  4Comments  路  Source: Yelp/elastalert

HI:
My rules:

es_host: "192.168.7.173"
es_port: 9200
use_ssl: False
name: MySQLSlow
type: any
realert:
minutes: 1
index: mysqlslow-*
filter:

  • term:
    server_ip: 10.100.20.64
    alert:
  • debug
  • email
  • command
    email:
  • "[email protected]"
    smtp_host: 192.168.7.77
    smtp_port: 25
    from_addr: [email protected]
    command: ["echo haha > /data/logs/elastalter"]

Get the result:
INFO:elastalert:Ignoring match for silenced rule MySQLSlow INFO:elastalert:Skipping writing to ES: {'hits': 1944, 'matches': 50, '@timestamp': '2017-05-11T08:15:18.347630Z', 'rule_name': 'MySQLSlow', 'starttime': '2017-05-11T07:59:17.603006Z', 'endtime': '2017-05-11T08:15:17.656243Z', 'time_taken': 0.6913750171661377} INFO:elastalert:Ran MySQLSlow from 2017-05-11 15:59 CST to 2017-05-11 16:15 CST: 1944 query hits (1894 already seen), 50 matches, 0 alerts sent

Why the matches is not 0 but 0 alerts sent?

picture shaohk

Most helpful comment

sorry, I find the cause of this issue, because I run the process in debug mode.
# Don't send real alerts in debug mode if self.debug: alerter = DebugAlerter(rule) alerter.alert(matches) return None

picture shaohk on 12 May 2017
😄1 👍1

All 4 comments

This is because you have

realert:
  minutes: 1

That means that after the first alert, it will ignore matches for that rule for the next minute.

You can add

realert:
  minutes: 0

to get all of them.

Qmando picture Qmando on 11 May 2017

Hi:
I change the realert's value to "minutes: 0",but the alerts sent value also is 0.
eg:

INFO:elastalert:Skipping writing to ES: {'hits': 160, 'matches': 62, '@timestamp': '2017-05-12T04:13:33.612887Z', 'rule_name': 'MySQLSlow', 'starttime': '2017-05-12T04:11:32.549984Z', 'endtime': '2017-05-12T04:13:32.626604Z', 'time_taken': 0.9862711429595947}
INFO:elastalert:Ran MySQLSlow from 2017-05-12 12:11 CST to 2017-05-12 12:13 CST: 160 query hits (98 already seen), 62 matches, 0 alerts sent

shaohk picture shaohk on 12 May 2017

sorry, I find the cause of this issue, because I run the process in debug mode.
# Don't send real alerts in debug mode if self.debug: alerter = DebugAlerter(rule) alerter.alert(matches) return None

shaohk picture shaohk on 12 May 2017
😄1 👍1

It should print out
Note: In debug mode, alerts will be logged to console but NOT actually sent. To send them, use --verbose.

Qmando picture Qmando on 12 May 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

serialdoom picture serialdoom  路  3Comments
shortstack picture shortstack  路  3Comments
JeffAshton picture JeffAshton  路  3Comments
abhishekjiitr picture abhishekjiitr  路  3Comments
aromualdo picture aromualdo  路  4Comments