daichi703n
commented
4 years ago flatline mathes your case. Note that latest ElastAlert seems not to be full compatible with Elasticsearch7.x schema... flatline with option use_count_query, doc_type does not work because doc_type (_types on ES) is removed and query succeed but result is unexpected.
Which version are you using? (ElastAlert, Elasticsearch)
FYI, you can debug ES query with using --es_debug_trace trace.log startup option.
Hi, Can anyone help me on this...? I am trying to send alert when anyone of our 4 AKS clusters doesn't send data to elasticsearch with the specific cluster name. Each and every cluster send its data with specific index name. We need to filter all the indices and check which index is not sending data in specific timeframe and trigger the alert with that index name.