Elastalert: cardinality rule, return unique value count?

Created on 18 Jan 2019  路  3Comments  路  Source: Yelp/elastalert

we have the following rule (replaced values with dummy data).

type: cardinality
cardinality_field: "unique_field"
min_cardinality: 40
timeframe:
  hours: 1
filter:
- term:
    term: "value"

we want to know when the count of "unique_field" drops below 40. i assume that on the backend, it's doing something like this: https://www.elastic.co/guide/en/elasticsearch/guide/current/cardinality.html

question: how do we get the aggregations value that gets returned in that query?

for example, when we get an alert, it says in the alert that the count dropped below 40. if that value is 36, how do we get the alert to return that 36?

thank you!

enhancement
Source
picture shortstack

Most helpful comment

What I found worked was:
match["cardinality_count"] = len(self.rule["type"].cardinality_cache["all"])

Which then allows you to reference it in your message like this:
alert_text: "Expected 12 but only {0} were found!"
alert_text_args: ["cardinality_count"]

picture NickHeap2 on 14 Oct 2019
👀1 🎉1 👍1

All 3 comments

There's no easy way to get this right now, but that does seem like a good feature.

You could write an enhancement to get this, it would be available in len(self.rule['ruletype'].cardinality_cache['all']).

Qmando picture Qmando on 23 Jan 2019
👍1

thanks for your help, i'm finally circling back to this.

i added this in elastalert_modules/my_enhancements.py

from elastalert.enhancements import BaseEnhancement

class GetUniqueCardinalityCount(BaseEnhancement):

    def process(self, match):
        cardinality_count = len(self.rule['ruletype'].cardinality_cache['all'])

added this to the bottom of a cardinality rule file, similar to the one i posted in the original issue:

match_enhancements:
- "elastalert_modules.my_enhancements.GetUniqueCardinalityCount"

currently, when our cardinality rules fire, we get num_hits, num_matches, and timestamp fields in our slack alerts. does this mean the field cardinality_count will also show up as a field in those alerts? or do i have to define it differently?

shortstack picture shortstack on 11 Jun 2019

What I found worked was:
match["cardinality_count"] = len(self.rule["type"].cardinality_cache["all"])

Which then allows you to reference it in your message like this:
alert_text: "Expected 12 but only {0} were found!"
alert_text_args: ["cardinality_count"]

NickHeap2 picture NickHeap2 on 14 Oct 2019
👀1 🎉1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Shashankft9 picture Shashankft9  路  3Comments
otisonoza picture otisonoza  路  4Comments
pdxkzeerkti picture pdxkzeerkti  路  4Comments
junaid1460 picture junaid1460  路  3Comments
AweiWoo picture AweiWoo  路  3Comments