Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.3k views
in Technique[技术] by (71.8m points)

kibana - ElastAlert range query is not sending alert emails even though the alert condition is met

I setup my ElastAlert rule as per below.

MyRangeAlert.yaml: |-
---
name: MyRangeAlert
type: frequency
limit_execution: "0/8 * * * *"
index: myindex-*
num_events: 1
timeframe:
  minutes: 15
filter:
- query:
    query_string:
      query: "request.keyword: "/api/rest/cms/content/cited-by/" AND response:503"
- range:
  field3:
    from: 150
    to: 200
alert:
- "email"
email:
- "[email protected]"
from_addr: "[email protected]"
alert_subject: " High Response Time at {0}."
alert_subject_args:
- "@timestamp"
alert_text: "Average response {0} seconds observed in last 20 minutes."
alert_text_args:
- field3
alert_text_type: alert_text_only

Then I inserted data to fulfill the condition.

 PUT MyRangeAlert/_doc/501
{
    "request.keyword": "/api/rest/cms/content/cited-by/",
    "response": 503,
    "tags": "account_compromised",
    "alert-triggered": true,
    "field3": 156,
    "city": "Kansas",
    "name": "sameera",
    "description": "desccrption 1032",
    "@timestamp": "2021-01-06T11:31:23+0000"
}

However. the alert is not sending an email. I removed the range then it's started to send alerts. Any suggestion or half answer also highly appreciated.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

There was an indention error worked after adding a space at front to field3.

filter:
    - query:
        query_string:
          query: "request.keyword: "/api/rest/cms/content/cited-by/" AND response:503"
    - range:
        field3:
          from: 150
          to: 200

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...