bool operations not working #390

zayalaksme · 2021-08-06T20:50:26Z

zayalaksme
Aug 6, 2021

Hello Jertel,

Expecting: match 2 events/logs, one is 8.8.8.8 (google) ping up and 2nd event/log is tcp port down.
I am tryng Bool and must as shown in below rule, but there are no query hits? I followed the bool as showing in documentation (https://elastalert2.readthedocs.io/en/latest/recipes/writing_filters.html#negation-and-or). I am seeing logs/events in kibana discovery.

es_host: "10.250.10.63"
es_port: 5555
name: DOWNSERVICE
type: any
index: heartbeat-*
include:
  - message
num_events: 05
timeframe:
  seconds: 60
filter:
- bool:
    must:
      - bool:
          must: [ {term: {monitor.name: GOOGLE}}, {term: {monitor.status: up}} ]
      - bool:
          must: [ {term: {monitor.type: tcp}}, {term: {monitor.status: down}} ]
query_key: url.full
old_query_limit:
  hours: 1
alert:
- "debug"

Answered by jertel

Aug 6, 2021

You probably want to use should instead of must on the outer bool block. As you have it written now it is requiring both monitor.name = GOOGLE AND monitor.name = tcp, which is impossible. Study this blog post to better understand the bool concept: https://www.elastic.co/blog/lost-in-translation-boolean-operations-and-filters-in-the-bool-query

View full answer

jertel · 2021-08-06T21:09:18Z

jertel
Aug 6, 2021
Maintainer

You probably want to use should instead of must on the outer bool block. As you have it written now it is requiring both monitor.name = GOOGLE AND monitor.name = tcp, which is impossible. Study this blog post to better understand the bool concept: https://www.elastic.co/blog/lost-in-translation-boolean-operations-and-filters-in-the-bool-query

2 replies

zayalaksme Aug 13, 2021
Author

Hello Jertel, Thank you for your reply.

Is elastalert can query the 2 logs/events at the same time?

In above shared link i am seeing using the "must" to match prefference1 and preference2. Like this can below booll script will work? If it doesnt work can you please guide me in the correct way?

I am expecting this rule to send an alert if GOOLE ip is reachable and internet/wan link down in remote site.

filter:
- bool:
    must:
      - bool:
          must: [ {term: {monitor.name: GOOGLE}}, {term: {monitor.status: up}} ]
      - bool:
          must: [ {term: {monitor.name: INTERNETDOWN}}, {term: {monitor.status: down}} ]
query_key: url.full

jertel Aug 13, 2021
Maintainer

Not that I'm aware of. ElastAlert works with single events. So your query is looking for a single event (log document) to match both preferences, which conflict so it won't ever match. If ElastAlert allowed matching of multiple events I'm not sure how it would know which one to use for sending field data to the alerter. Imagine if both events had the same key but with different values, and you wanted your alert email to include that key value in the subject...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bool operations not working #390

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

bool operations not working #390

zayalaksme Aug 6, 2021

Replies: 1 comment · 2 replies

jertel Aug 6, 2021 Maintainer

zayalaksme Aug 13, 2021 Author

jertel Aug 13, 2021 Maintainer

zayalaksme
Aug 6, 2021

Replies: 1 comment 2 replies

jertel
Aug 6, 2021
Maintainer

zayalaksme Aug 13, 2021
Author

jertel Aug 13, 2021
Maintainer