Elastalert: spike_aggregation rule type doesn't appear to be setup

Created on 27 Aug 2019 · 5Comments · Source: Yelp/elastalert

I was getting an error when I tried to make a rule_type spike_aggregation.

File "venv/bin/elastalert", line 11, in <module> sys.exit(main()) File "/home/elastalert/venv/local/lib/python3.5/site-packages/elastalert/elastalert.py", line 2034, in main client = ElastAlerter(args) File "/home/elastalert/venv/local/lib/python3.5/site-packages/elastalert/elastalert.py", line 138, in __init__ self.rules = self.rules_loader.load(self.conf, self.args) File "/home/elastalert/venv/local/lib/python3.5/site-packages/elastalert/loaders.py", line 125, in load raise EAException('Error loading file %s: %s' % (rule_file, e)) elastalert.util.EAException: Error loading file rules/rule.yaml: Could not import module spike_aggregation: not enough values to unpack (expected 2, got 1)

When I investigated it looks like spike aggregation class(SpikeMetricAggregationRule) is not setup in loaders.py rules_mapping. In my rule I used type: elastalert.ruletypes.SpikeMetricAggregationRule which doesn't give an error.

Is it possible that this rule type has never been enabled or am I configuring the type wrongly?

Source

s1sfa

👀2

Most helpful comment

We had the same problem and we looked at elastalert/loader.py file,
it seems like that rule_mapping has no mapping for spike_aggregation.
We updated it with subsequent code:

rules_mapping = {
    'frequency': ruletypes.FrequencyRule,
    'any': ruletypes.AnyRule,
    'spike': ruletypes.SpikeRule,
    'blacklist': ruletypes.BlacklistRule,
    'whitelist': ruletypes.WhitelistRule,
    'change': ruletypes.ChangeRule,
    'flatline': ruletypes.FlatlineRule,
    'new_term': ruletypes.NewTermsRule,
    'cardinality': ruletypes.CardinalityRule,
    'metric_aggregation': ruletypes.MetricAggregationRule,
    'percentage_match': ruletypes.PercentageMatchRule,
    'spike_aggregation': ruletypes.SpikeMetricAggregationRule,
}

And now it works.

Hope this helps.

nbaiocco on 3 Sep 2019

👍5

All 5 comments

We had the same problem and we looked at elastalert/loader.py file,
it seems like that rule_mapping has no mapping for spike_aggregation.
We updated it with subsequent code:

rules_mapping = {
    'frequency': ruletypes.FrequencyRule,
    'any': ruletypes.AnyRule,
    'spike': ruletypes.SpikeRule,
    'blacklist': ruletypes.BlacklistRule,
    'whitelist': ruletypes.WhitelistRule,
    'change': ruletypes.ChangeRule,
    'flatline': ruletypes.FlatlineRule,
    'new_term': ruletypes.NewTermsRule,
    'cardinality': ruletypes.CardinalityRule,
    'metric_aggregation': ruletypes.MetricAggregationRule,
    'percentage_match': ruletypes.PercentageMatchRule,
    'spike_aggregation': ruletypes.SpikeMetricAggregationRule,
}

And now it works.

Hope this helps.

nbaiocco on 3 Sep 2019

👍5

I also have the issue described above.

@nbaiocco, @Qmando Could you please proceed with a PR in order the resolution to be merged and be available in the upcoming releases?

pkotsarinis on 18 Oct 2019

I manually added the line from https://github.com/nbaiocco/elastalert/pull/1 and reran setup. After that, the test worked.

I'd say that pull request can be merged. :)

jerrac on 5 Nov 2019

👍2

After discovering the code shipped incomplete I dug through the PRs and saw @nbaiocco has had a one line PR languish. What needs to happen to see this advance so I don't have to apply a patch to every update locally?

Do I need to fork and resubmit a new PR?