Elastalert: Error running your filter

Created on 22 Feb 2020  路  4Comments  路  Source: Yelp/elastalert

Hello all,
my rules for an index does not get hit and I have the following error for test-rule:
Error running your filter:
TypeError("search() got multiple values for argument 'body'",)
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts

INFO:elastalert:Queried rule user deleted from cloud from 2020-01-25 07:22 UTC to 2020-01-26 23:22 UTC: 0 / 0 hits
INFO:elastalert:Queried rule user deleted from cloud from 2020-01-26 23:22 UTC to 2020-01-28 15:22 UTC: 0 / 0 hits
INFO:elastalert:Queried rule user deleted from cloud from 2020-01-28 15:22 UTC to 2020-01-30 07:22 UTC: 0 / 0 hits
INFO:elastalert:Queried rule user deleted from cloud from 2020-01-30 07:22 UTC to 2020-01-31 23:22 UTC: 0 / 0 hits
INFO:elastalert:Queried rule user deleted from cloud from 2020-01-31 23:22 UTC to 2020-02-02 15:22 UTC: 0 / 0 hits

and here is my rule

name: user deleted from cloud
type: any
index: cloud*
filter:
        - query:
            query_string:
                    query: "_type: doc"
picture kasraorko

Most helpful comment

@kasramtm Sorry, I misread the logs...
Does cloud* match some index-pattern? Please test with full index name? not cloud*, cloud-xxx(your index name).

index name is able to be check with curl http(s)://<elasticsearch>:<port>/_cat/indices

picture daichi703n on 23 Feb 2020
1 👍1

All 4 comments

quote your name

name: "user deleted from cloud"
type: any
index: cloud*
filter:
        - query:
            query_string:
                    query: "_type: doc"
daichi703n picture daichi703n on 22 Feb 2020

@daichi703n
thanks for correction
it didn't resolve anything
again I won't get any hits for this index
I also tested on common field which exists on each log but it doesn't get hit

kasraorko picture kasraorko on 23 Feb 2020

@kasramtm Sorry, I misread the logs...
Does cloud* match some index-pattern? Please test with full index name? not cloud*, cloud-xxx(your index name).

index name is able to be check with curl http(s)://<elasticsearch>:<port>/_cat/indices

daichi703n picture daichi703n on 23 Feb 2020
1 👍1

you really helped me!!
I used curl with my elastalert user and surprisingly got nothing !!
the problem is I am superuser in kibana and work properly with that index but my elastalert user didn't have permission on that index!
again thx for your quick help and reply

kasraorko picture kasraorko on 23 Feb 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

chihhanyu picture chihhanyu  路  3Comments
shaohk picture shaohk  路  4Comments
serialdoom picture serialdoom  路  3Comments
vaibhavtupe picture vaibhavtupe  路  4Comments
otisonoza picture otisonoza  路  4Comments