Elastalert: terms does not support multiple fields

Created on 1 Feb 2019  路  5Comments  路  Source: Yelp/elastalert

I'm getting this error message when using multiple fields in terms:

[terms] query does not support multiple fields

Here's my configuration:

es_host: 10.9.x.x
es_port: 9200
type: frequency
index: app-stream-*
num_events: 3
timeframe:
    minutes: 30
filter:
- terms:
    request: ["/auth/token"]
    response: ["400"]
alert:
- sns
sns_topic_arn: "arn:aws:sns:us-east-1:xxxxxx:opsgenie"
picture prandelicious

Most helpful comment

Sure thing:

filter:
- bool:
    must:
    - terms:
        request: ["/auth/token"]
    - terms:
        response: ["400"]
picture pdscopes on 25 Feb 2019
👍2

All 5 comments

What version of ElasticSearch are you using? If it's >= 5 you'll been to AND terms together see https://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html for more details.

pdscopes picture pdscopes on 3 Feb 2019
👍1

Thank you! We're using 6.x. How do we AND terms together? Can you give an example?

prandelicious picture prandelicious on 21 Feb 2019

Sure thing:

filter:
- bool:
    must:
    - terms:
        request: ["/auth/token"]
    - terms:
        response: ["400"]
pdscopes picture pdscopes on 25 Feb 2019
👍2

For more information about it all see: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-bool-query.html

pdscopes picture pdscopes on 25 Feb 2019

Using ES7... have had more luck with query than term(s) lately

Maybe try:

- query:
    query_string:
      query: "request: /auth/token OR response: 400"
naseemkullah picture naseemkullah on 5 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

PMDubuc picture PMDubuc  路  3Comments
Eyad87 picture Eyad87  路  4Comments
serialdoom picture serialdoom  路  3Comments
junaid1460 picture junaid1460  路  3Comments
rhysxevans picture rhysxevans  路  3Comments