Is there any way to discard few records and process few records?

[skatakar]

We are inserting the events of different hosts as records in elastic search from different monitoring tool. As discussed in #2078, I am able to create custom rule type for processing events and able to re-alert for the same type of events based on hostname and event message. Now we have one more requirement is, we need to depreciate/suppress events for host name matched records (if hostname = [host1, host2]) in given time range. And make sure it should process for other hosts events.

Is it possible to use same elastalert rule to pass host values dynamically along with time range for deprecating events?

[Salaander]

I think you can solve this using an enhancement that you add to the rule which has the list of time ranges and host names to ignore. You do the matching as it is shown in the example and throw a DropMatchException if you find a silenced host and the time ranges are in place. You might even use a request to dynamically load the list of hosts and time ranges but that might cripple your elastalert so make sure to use timeouts and proper error handling.

[Qmando]

I think @Salaander Is right. SInce the elastalert code applies realert only to the value of query_key (hostname+event_message), if you want to silence by only hostname too, you need to write some custom code.

Either maintain a list of hostnames and timestamps in your custom rule type and ignore them there. Or Add "silence" type documents into the elastalert_status index (elastalert_status_silence in es6)

[skatakar]

Thanks @Salaander and @Qmando , I will try to implement in custom rule and use.

I can put the list of hostnames in separate file and read them as list. @Qmando , which method do I need to use for searching hostname filed from the record. let me know if we have any default class or methods are exists?