Something wrong with the rules #1298

baiyibing123 · 2023-10-17T02:17:36Z

baiyibing123
Oct 17, 2023

name: nginx
type: frequency
index: nginx
filter:

query:
query_string:
query: "status: (501 OR 502 OR 503 OR 504 OR 500)"
num_events: 100
timeframe:
minutes: 1
alert:
"elastalert_modules.feishu_alert.FeiShuAlerter"

feishu_webhook: "xxx"
feishu_msgtype: "text"

alert_text: |
kibana_url: "xxx"
http_host: {}
request_uri: {}
status: {}
_id: {}
alarm_reason: "1分钟内{}条日志出现报错"
alert_text_args:
- http_host
- request_uri
- status
- _id
- num_matches
alert_text_type: alert_text_only

These are my rules, I think the alarm should only be triggered if num_matches is greater than 100, but when the alarm comes out, I find the value of num_matches is 1

Answered by jertel

Oct 17, 2023

num_matches only includes the count in the current rule run. Since your spike of events spanned several minutes, the rule run that triggered the alert found 18 matches. Internally, ElastAlert 2 added this 18 to the previous rule run matches (from the previous few minutes) and that total exceeded the 100 num_events value, so it sent the alert.

Again, num_matches is only showing the current query matches, not the combined queries from previous runs.

View full answer

jertel · 2023-10-17T10:54:39Z

jertel
Oct 17, 2023
Maintainer

Please see #11 and reformat your question/rule so its indentation and syntax is accurately represented.

4 replies

baiyibing123 Oct 17, 2023
Author

name: nginx_feishu
type: frequency
index: nginx
filter:
- query:
    query_string:
      query: "status: (501 OR 502 OR 503 OR 504 OR 500)"
num_events: 100
timeframe:
    minutes: 1
include: ["fields.kafka_topic","http_host","request_uri","status"]    
alert:
- "elastalert_modules.feishu_alert.FeiShuAlerter"

feishu_webhook: "xxx"
feishu_msgtype: "text"

alert_text: |
    kibana_url: "xxx"
    fields.kafka_topic: {}
    http_host: {}
    request_uri: {}
    status: {}
    _id: {}
    alarm_reason: "1分钟内{}条日志出现报错"
alert_text_args:
    - fields.kafka_topic
    - http_host
    - request_uri
    - status
    - _id
    # - num_hits
    - num_matches
alert_text_type: alert_text_only

baiyibing123 Oct 17, 2023
Author

num_matches is obviously wrong. I don't know why

baiyibing123 Oct 17, 2023
Author

num_events: 1
It seems a little more normal at this point

jertel Oct 17, 2023
Maintainer

num_matches only includes the count in the current rule run. Since your spike of events spanned several minutes, the rule run that triggered the alert found 18 matches. Internally, ElastAlert 2 added this 18 to the previous rule run matches (from the previous few minutes) and that total exceeded the 100 num_events value, so it sent the alert.

Again, num_matches is only showing the current query matches, not the combined queries from previous runs.

Answer selected by jertel

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Something wrong with the rules #1298

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Something wrong with the rules #1298

baiyibing123 Oct 17, 2023

Replies: 1 comment · 4 replies

jertel Oct 17, 2023 Maintainer

baiyibing123 Oct 17, 2023 Author

baiyibing123 Oct 17, 2023 Author

baiyibing123 Oct 17, 2023 Author

jertel Oct 17, 2023 Maintainer

baiyibing123
Oct 17, 2023

Replies: 1 comment 4 replies

jertel
Oct 17, 2023
Maintainer

baiyibing123 Oct 17, 2023
Author

baiyibing123 Oct 17, 2023
Author

baiyibing123 Oct 17, 2023
Author

jertel Oct 17, 2023
Maintainer