0 query hits

[da2vin]

Hello!

I used elastalert-test-rule but 0 query hits:

Successfully loaded sqoopBatchRunError

INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.2.246
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent. To send them, use --verbose.
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.2.246
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.2.246
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 12:50 CST to 2017-04-11 13:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 13:05 CST to 2017-04-11 13:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 13:20 CST to 2017-04-11 13:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 13:35 CST to 2017-04-11 13:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 13:50 CST to 2017-04-11 14:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 14:05 CST to 2017-04-11 14:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 14:20 CST to 2017-04-11 14:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 14:35 CST to 2017-04-11 14:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 14:50 CST to 2017-04-11 15:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 15:05 CST to 2017-04-11 15:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 15:20 CST to 2017-04-11 15:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 15:35 CST to 2017-04-11 15:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 15:50 CST to 2017-04-11 16:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 16:05 CST to 2017-04-11 16:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 16:20 CST to 2017-04-11 16:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 16:35 CST to 2017-04-11 16:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 16:50 CST to 2017-04-11 17:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 17:05 CST to 2017-04-11 17:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 17:20 CST to 2017-04-11 17:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 17:35 CST to 2017-04-11 17:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 17:50 CST to 2017-04-11 18:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 18:05 CST to 2017-04-11 18:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 18:20 CST to 2017-04-11 18:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 18:35 CST to 2017-04-11 18:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 18:50 CST to 2017-04-11 19:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 19:05 CST to 2017-04-11 19:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 19:20 CST to 2017-04-11 19:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 19:35 CST to 2017-04-11 19:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 19:50 CST to 2017-04-11 20:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 20:05 CST to 2017-04-11 20:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 20:20 CST to 2017-04-11 20:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 20:35 CST to 2017-04-11 20:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 20:50 CST to 2017-04-11 21:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 21:05 CST to 2017-04-11 21:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 21:20 CST to 2017-04-11 21:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 21:35 CST to 2017-04-11 21:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 21:50 CST to 2017-04-11 22:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 22:05 CST to 2017-04-11 22:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 22:20 CST to 2017-04-11 22:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 22:35 CST to 2017-04-11 22:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 22:50 CST to 2017-04-11 23:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 23:05 CST to 2017-04-11 23:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 23:20 CST to 2017-04-11 23:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 23:35 CST to 2017-04-11 23:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-11 23:50 CST to 2017-04-12 00:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 00:05 CST to 2017-04-12 00:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 00:20 CST to 2017-04-12 00:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 00:35 CST to 2017-04-12 00:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 00:50 CST to 2017-04-12 01:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 01:05 CST to 2017-04-12 01:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 01:20 CST to 2017-04-12 01:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 01:35 CST to 2017-04-12 01:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 01:50 CST to 2017-04-12 02:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 02:05 CST to 2017-04-12 02:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 02:20 CST to 2017-04-12 02:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 02:35 CST to 2017-04-12 02:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 02:50 CST to 2017-04-12 03:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 03:05 CST to 2017-04-12 03:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 03:20 CST to 2017-04-12 03:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 03:35 CST to 2017-04-12 03:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 03:50 CST to 2017-04-12 04:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 04:05 CST to 2017-04-12 04:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 04:20 CST to 2017-04-12 04:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 04:35 CST to 2017-04-12 04:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 04:50 CST to 2017-04-12 05:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 05:05 CST to 2017-04-12 05:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 05:20 CST to 2017-04-12 05:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 05:35 CST to 2017-04-12 05:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 05:50 CST to 2017-04-12 06:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 06:05 CST to 2017-04-12 06:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 06:20 CST to 2017-04-12 06:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 06:35 CST to 2017-04-12 06:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 06:50 CST to 2017-04-12 07:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 07:05 CST to 2017-04-12 07:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 07:20 CST to 2017-04-12 07:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 07:35 CST to 2017-04-12 07:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 07:50 CST to 2017-04-12 08:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 08:05 CST to 2017-04-12 08:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 08:20 CST to 2017-04-12 08:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 08:35 CST to 2017-04-12 08:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 08:50 CST to 2017-04-12 09:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 09:05 CST to 2017-04-12 09:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 09:20 CST to 2017-04-12 09:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 09:35 CST to 2017-04-12 09:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 09:50 CST to 2017-04-12 10:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 10:05 CST to 2017-04-12 10:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 10:20 CST to 2017-04-12 10:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 10:35 CST to 2017-04-12 10:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 10:50 CST to 2017-04-12 11:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 11:05 CST to 2017-04-12 11:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 11:20 CST to 2017-04-12 11:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 11:35 CST to 2017-04-12 11:50 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 11:50 CST to 2017-04-12 12:05 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 12:05 CST to 2017-04-12 12:20 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 12:20 CST to 2017-04-12 12:35 CST: 0 / 0 hits
INFO:elastalert:Queried rule sqoopBatchRunError from 2017-04-12 12:35 CST to 2017-04-12 12:50 CST: 0 / 0 hits

Would have written the following documents to writeback index (default is elastalert_status):

elastalert_status - {'hits': 0, 'matches': 0, '@timestamp': datetime.datetime(2017, 4, 12, 4, 50, 37, 715654, tzinfo=tzutc()), 'rule_name': 'sqoopBatchRunError', 'starttime': datetime.datetime(2017, 4, 11, 4, 50, 37, 502423, tzinfo=tzutc()), 'endtime': datetime.datetime(2017, 4, 12, 4, 50, 37, 502423, tzinfo=tzutc()), 'time_taken': 0.21025586128234863}

sqoop_alert.yaml:

# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com

# (Optional)
# Elasticsearch port
# es_port: 14900

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
name: sqoopBatchRunError

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
index: sqoop-*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  minutes: 60

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
#filter:
#- query:
#    wildcard:
#      timestamp : "1*"

# (Required)
# The alert is use when a match is found
alert:
- "email"
# (required, email specific)
# a list of email addresses to send alerts to
email:
- "email"
#增加邮件内容
alert_text: "告警邮件 - sqoop_error"
##SMTP协议的邮件服务器配置
smtp_host: smtp.mail.test.com
smtp_port: 25
#
##用户认证文件
smtp_auth_file: smtp_auth_file.yaml
email_reply_to: test@test.com
from_addr: test@test.com
#
## (required, email specific)
## a list of email addresses to send alerts to
email:
- "test@test.com"

elasticsearch index :
sqoop-2017-04-12

{
    "_index" : "sqoop-2017-04-12",
    "_type" : "sqoop",
    "_id" : "AVtf_bgQTL1GnGS9QJFp",
    "_version" : 1,
    "_score" : 1,
    "_source" : {
        "@message" : "17/04/12 02:29:06 INFO zookeeper.ClientCnxn: Opening socket connection to server 192.168.2.247/192.168.2.247:2181. Will not attempt to authenticate using SASL (unknown error)",
        "@timestamp" : "2017-04-12T10:28:33.790Z",
        "@source_host" : "dataplat2",
        "@fields" : {
            "timestamp" : "1491964113790",
            "host" : "dataplat2"
        }
    }
}

index info:

{
    "state" : "open",
    "settings" : {
        "index" : {
            "creation_date" : "1491964114091",
            "uuid" : "KeGwV5wOSsKM3BPPEPOgUw",
            "number_of_replicas" : "1",
            "number_of_shards" : "5",
            "version" : {
                "created" : "1070099"
            }
        }
    },
    "mappings" : {
        "sqoop" : {
            "properties" : {
                "@fields" : {
                    "properties" : {
                        "timestamp" : {
                            "type" : "string"
                        },
                        "host" : {
                            "type" : "string"
                        }
                    }
                },
                "@timestamp" : {
                    "format" : "dateOptionalTime",
                    "type" : "date"
                },
                "@message" : {
                    "type" : "string"
                },
                "@source_host" : {
                    "type" : "string"
                }
            }
        }
    },
    "aliases" : []
}

I changed another index and successed,but this index failed,I don't know why...please help~~~~

[Qmando]

It looks like your @timestamp has the wrong time zone.

"timestamp" : "1491964113790", == Wed Apr 12 02:28:33 UTC 2017 2017-04-12T10:28:33.790Z == Wed Apr 12 10:28:33 UTC 2017 2017-04-12 12:50 CST: 0 / 0 hits == Wed Apr 12 04:50:33 UTC 2017

The document @timestamp says it comes from the future!!

This might work.

timestamp_field: "@fields.timestamp"
timestamp_type: unix_ms

[da2vin]

It works! thank you very much!

[Dayait]

Hi Here I have similar problem unable to trace what could be the issue like timestamp or older date which rule just searches current @timestamp. but rule name any should not restrict with stamp it should search for filters applied as both. I can search the data is available in Kibana but with ElastAlert it shows 0 hits, 0 alerts 0 sent.

Elastic Data

http://localhost:9200/sw/_search?q=name:Solo

{ "took": 7, "timed_out": false, "_shards": { "total": 5, "successful": 5, "failed": 0 }, "hits": { "total": 1, "max_score": 2.1236846, "hits": [ { "_index": "sw", "_type": "people", "_id": "14", "_score": 2.1236846, "_source": { "starships": [ "http://swapi.co/api/starships/10/", "http://swapi.co/api/starships/22/" ], "edited": "2014-12-20T21:17:50.334000Z", "name": "Han Solo", "created": "2014-12-10T16:49:14.582000Z", "url": "http://swapi.co/api/people/14/", "gender": "male", "vehicles": [], "skin_color": "fair", "hair_color": "brown", "height": "180", "eye_color": "brown", "mass": "80", "films": [ "http://swapi.co/api/films/2/", "http://swapi.co/api/films/3/", "http://swapi.co/api/films/1/", "http://swapi.co/api/films/7/" ], "species": [ "http://swapi.co/api/species/1/" ], "homeworld": "http://swapi.co/api/planets/22/", "birth_year": "29BBY" } } ] } }

rule es_host: localhost es_port: 9200 name: Test2 rule type: any index: sw timestamp_field: created timestamp_type: iso num_events: 1 timeframe: hours: 0.1 filter:

• term: name: "solo"
• query: query_string: query: "name: Han" alert:
• "email" email:

• "mail@mail.com"

  console output

C:\Python27\Scripts>python -m elastalert.elastalert --verbose --rule test2.yaml INFO:elastalert:Starting up INFO:elastalert:Sleeping for 59.985 seconds

INFO:elastalert:Queried rule local test rule from 2015-12-12 17:49 India Standar d Time to 2015-12-12 18:04 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 18:04 India Standar d Time to 2015-12-12 18:19 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 18:19 India Standar d Time to 2015-12-12 18:34 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 18:34 India Standar d Time to 2015-12-12 18:49 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 18:49 India Standar d Time to 2015-12-12 19:04 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 19:04 India Standar d Time to 2015-12-12 19:19 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 19:19 India Standar d Time to 2015-12-12 19:34 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 19:34 India Standar d Time to 2015-12-12 19:49 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 19:49 India Standar d Time to 2015-12-12 20:04 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 20:04 India Standar d Time to 2015-12-12 20:19 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 20:19 India Standar d Time to 2015-12-12 20:34 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 20:34 India Standar d Time to 2015-12-12 20:49 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 20:49 India Standar d Time to 2015-12-12 21:04 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 21:04 India Standar d Time to 2015-12-12 21:19 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 21:19 India Standar d Time to 2015-12-12 21:34 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 21:34 India Standar d Time to 2015-12-12 21:49 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 21:49 India Standar d Time to 2015-12-12 22:04 India Standard Time: 0 / 0 hits INFO:elastalert:Queried rule local test rule from 2015-12-12 22:04 India Standar d Time to 2015-12-12 22:19 India Standard Time: 0 / 0 hits INFO:elastalert:Skipping writing to ES: {'hits': 0, 'matches': 0, '@timestamp': '2017-10-16T17:57:21.976Z', 'rule_name': 'local test rule', 'starttime': '2014-1 2-10T16:49:00Z', 'endtime': '2015-12-12T16:49:00Z', 'time_taken': 115.3900001049 0417} INFO:elastalert:Ran local test rule from 2014-12-10 22:19 India Standard Time to 2015-12-12 22:19 India Standard Time: 0 query hits (0 already seen), 0 matches, 0 alerts sent WARNING:root:Querying from 2014-12-10 22:19 India Standard Time to 2015-12-12 22 :19 India Standard Time took longer than 0:01:00!