Not getting any alerts for metricbeat cpu data

[Prakashrathod28]

Hello, I'm new to elastalert and trying below instructions for metricbeat alerting https://fabianlee.org/2017/04/16/elk-elastalert-for-alerting-based-on-data-from-elasticsearch/

I've incease cpu load using stress as mention in that link but it seems i'm not getting any matches. But Everytime i get INFO:elastalert:Ran Metricbeat CPU Spike Rule from 2019-05-16 15:06 IST to 2019-05-16 15:16 IST: 0 query hits (0 already seen), 0 matches, 0 alerts sent

**(I've purposely kept alerts in --debug mode for testing purpose) My rule yaml file -----------cpu_high.yaml------------ name: Metricbeat CPU Spike Rule type: metric_aggregation

es_host: localhost

es_port: 9200

index: metricbeat-*

buffer_time: minutes: 1

metric_agg_key: system.cpu.user.pct metric_agg_type: avg query_key: beat.hostname doc_type: metricsets

bucket_interval: minutes: 1

sync_bucket_interval: true

allow_buffer_time_overlap: true

use_run_every_query_size: true

min_threshold: 0.0 max_threshold: 0.5

filter:

• term: metricset.name: cpu

alert:

• "debug" -----------------End of file---------------------------

ES version : 7 Elastalert version: latest

[Prakashrathod28]

@Qmando ... Any suggestions?

[nikhilgangrade]

Try using type: any

[Qmando]

Please show the full JSON for one of the metricbeat documents

[GOPIPACHA]

Try using type: any

Thanks this helped me a lot and my suggestion is try to add es_host also

[msrinivascharan]

It worked after changing type to any. thank you.

[Prashant-aristocrat]

elastalert:Ran Metricbeat CPU Spike Rule Test from 2021-09-20 15:53 UTC to 2021-09-20 15:55 UTC: 0 query hits

I am not able to get alert , if I am choosing type any then bunch of alerts come for every hit but I need the alert according to the thresold.