search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
8k stars 1.74k forks source link

Why it's giving 'No mapping found for [alert_time] in order to sort on' error while running elastalert? #1893

Open venkateshrepal opened 6 years ago

venkateshrepal commented 6 years ago

I am creating an application where I need to send a mail with elastalert. When I run command python -m elastalert.elastalert --verbose --rule myrules\myrule.yaml to trigger the rule, I am having an exception as follows:

:\ELK_Info\ElastAlert\elastalert-master>python -m elastalert.elastalert --verbose --rule myrules\myrule.yaml
INFO:elastalert:Starting up
WARNING:elasticsearch:GET http://localhost:9200/elastalert_status_status/elastalert/_search?size=1000 [status:400 request:0.034s]
ERROR:root:Error finding recent pending alerts: RequestError(400, u'search_phase_execution_exception', u'No mapping found for [alert_time] in order to sort on'){'sort': {'alert_time': {'order': 'asc'}}, 
'query': {'bool': {'filter': {'range': {'alert_time': {'to': '2018-09-10T06:09:15.858Z', 'from': '2018-09-08T06:09:15.858Z'}}}, 
'must': {'query_string': {'query': '!_exists_:aggregate_id AND alert_sent:false'}}}}}
Traceback (most recent call last):File "D:\ELK_Info\ElastAlert\elastalert-master\elastalert\elastalert.py", line 1522, in find_recent_pending_alerts size=1000)
File "C:\Python27\lib\site-packages\elasticsearch\client\utils.py", line 76, in _wrapped
return func(*args, params=params, **kwargs)
File "C:\Python27\lib\site-packages\elasticsearch\client\__init__.py", line 66
0, in search doc_type, '_search'), params=params, body=body)
File "C:\Python27\lib\site-packages\elasticsearch\transport.py", line 318, in
perform_request
status, headers_response, data = connection.perform_request(method, url, par
ams, body, headers=headers, ignore=ignore, timeout=timeout)
File "C:\Python27\lib\site-packages\elasticsearch\connection\http_requests.py"
, line 90, in perform_request self._raise_error(response.status_code, raw_data)
File "C:\Python27\lib\site-packages\elasticsearch\connection\base.py", line 12
5, in _raise_error raise HTTP_EXCEPTIONS.get(status_code, TransportError)(status_code, error_me
ssage, additional_info)
RequestError: RequestError(400, u'search_phase_execution_exception', u'No mappin
g found for [alert_time] in order to sort on')
INFO:elastalert:Queried rule Log Level Test from 2018-09-10 11:39 India Standard
 Time to 2018-09-10 11:39 India Standard Time: 0 / 0 hits
INFO:elastalert:Ran Log Level Test from 2018-09-10 11:39 India Standard Time to
2018-09-10 11:39 India Standard Time: 0 query hits (0 already seen), 0 matches,
0 alerts sent
INFO:elastalert:Sleeping for 1.844 seconds
INFO:elastalert:SIGINT received, stopping ElastAlert...

No mapping found for [alert_time] in order to sort on

http://localhost:9200/elastalert_status_status/_mapping/elastalert_status

Output of this API is as follows:

{
    "elastalert_status_status": {
        "mappings": {
            "elastalert_status": {
                "properties": {
                    "@timestamp": {
                        "type": "date"
                    },
                    "endtime": {
                        "type": "date"
                    },
                    "hits": {
                        "type": "long"
                    },
                    "matches": {
                        "type": "long"
                    },
                    "rule_name": {
                        "type": "text",
                        "fields": {
                            "keyword": {
                                "type": "keyword",
                                "ignore_above": 256
                            }
                        }
                    },
                    "starttime": {
                        "type": "date"
                    },
                    "time_taken": {
                        "type": "float"
                    }
                }
            }
        }
    }
}

Rule file content:

es_host: localhost
es_port: 9200
name: Log Level Test
type: frequency
index: testindexv4
num_events: 1
timeframe:
   hours: 4
filter:
 - term:
     log_level.keyword: "ERROR"
 - query:
     query_string:
       query: "log_level.keyword: ERROR"
alert:
- "email"
email:
- "<mailId>@gmail.com"

any idea to solve the same please?

mangoC commented 5 years ago

According to the elastalert logs ,errors from elastalert/elastalert.py . I suppose that I had not triggerred alert-sent incient thus index(alert_time) is not initialized .Finally ,I add an annotation on below code and elastalert run fine abd then later restore them after doing its job image

kssathish86 commented 3 years ago

which file did u add the annotation

11101171 commented 1 year ago

You can use timestamp_field to change which field ElastAlert 2 will use as the timestamp. You can use timestamp_type to change it between ISO 8601 and unix timestamps. You must have some kind of timestamp for ElastAlert 2 to work. If your events are not in real time, you can use query_delay and buffer_time to adjust when ElastAlert 2 will look for documents.

Fixed: Add this into rule.yaml

timestamp_field: "@timestamp"
timestamp_type: "iso"