我正在尝试使用Elastalert的简单规则,它似乎无法正常运行。我的规则是:
# Elasticsearch host
es_host: elasticsearch
# The elasticsearch port
es_port: 9200
name: dzd_count_zero
type: any
index: logstash-*
filter:
- term:
project: "drop_zone_dub"
- terms:
name: ["s3_count", "dzd_nas_pcount"]
alert:
- "email"
email:
- "myemail@m.com"
当我把调试放在我身上时:
elastalert:Ran dzd_count_zero from 2016-03-02 13:59 UTC to 2016-03-02 17:59 UTC: 16 query hits, 0 matches, 0 alerts sent
如果规则是'任何'然后应该提醒任何查询命中,但正如你所看到的那样。有什么想法吗?