获取Flatline规则的误报。
我的索引在最近10分钟内有文档,但是我的固定规则发送了错误警报。 通过添加--es_debug_trace trace.log来检查elastalert进行的确切查询,并在触发警报的时间范围内获取结果。
每次触发电子邮件警报时都会观察到以下警告(以详细模式显示)。
WARNING:elasticsearch:DELETE http://hostname:9200/_search/scroll [status:404 request:0.002s]
规则
name: test_flatline
type: flatline
index: test-index-*
timeframe:
minutes: 10
threshold: 1
alert:
- email
email:
- email_id@support_xyz.com
smtp_host: smtp.gmail.com
smtp_port: 587
smtp_ssl: false
from_addr: dev_ops@support_xyz.com
smtp_auth_file: elastalert/smtp_auth.yml
config
rules_folder: /rule_dir
run_every:
minutes: 15
buffer_time:
minutes: 15
es_host: hostname
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
days: 2
电子邮件警报
An abnormally low number of events occurred around 2019-10-16 11:30 UTC.
Between 2019-10-16 11:20 UTC and 2019-10-16 11:30 UTC, there were less than 1 events.
@timestamp: 2019-10-16T11:30:24.304372Z
count: 0
key: all
num_hits: 0
num_matches: 1
集群详细信息: Elasticsearch 7.3版, Elastalert版本0.2.1