search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.99k stars 1.74k forks source link

Is it possible to define chronology between related alarms? #1944

Open lucasalvarezlacasa opened 5 years ago

lucasalvarezlacasa commented 5 years ago

Hello everybody!. I have the following scenario:

name: combined_alarm type: cardinality cardinality_field: rule_name max_cardinality: 1 filter:

  • terms: rule_name:
    • alarm1
    • alarm2
    • alarm3
  • term: alert_sent: true

query_key: ["match_body.client.name","match_body.client.location","match_body.username"] index: .elastalert_status timeframe: minutes: 60

aggregation_key:

  • match_body.message

alert:

  • "ms_teams" ...

The idea of this code is to trigger combined_alarm when alarm1, alarm2 and alarm3 are fired within an interval of 60 minutes. This works perfectly :). However, I need to enforce certain order of the events. I would like to fire combined_alarm only if alarm1 occurred before alarm2 and this one before alarm3.

How can I do that? I've read something about enhancements but I'm not quite sure how to implement something like this. Any snippet of code would be highly appreciated.

Thank you!.

Qmando commented 5 years ago

Hm, this is a pretty tough problem right now. One issue is that the cardinality rule will only include the event that triggered the alert, ie, the 3rd one. The enhancement therefore only would know which of the was last, and nothing about the ordering of the first two. If that's sufficient, the enhancement would just look at the match and decide based on the rule_name whether to drop it or not.