search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
8k stars 1.73k forks source link

After a while of stopping elastalert and starting it, it alerts several times #2711

Open mtudisco49 opened 4 years ago

mtudisco49 commented 4 years ago

Hi, I'm using elasticsearch 7.2 and last version of elastalert. I'm monitoring database status i and index, and i have configured a frequency rule to alert when a database is closed:

name: dbstatus
type: frequency
index: orachecks*
num_events: 1
timeframe:
  hours: 1
realert:
  minutes: 0
query_key: db_at_host.keyword
filter:
- query:
    query_string:
      query: "dbstatus.db_status: CLOSED AND type2.keyword: dbstatus"
alert:
- "email"
email:
- "email@doemain"

It was working fine, but i shutdown a database stopped elastalert and the following day when i started elast alert i got about 200 mails with the alert.

Anyone cant help me to see if it can be changed?

thanks

divyalakshmi24 commented 4 years ago

Any update on this. after restarting elastalert container alerts are flooding. Is there a way to clear the queue

R0LL0 commented 2 months ago

Hello, try to change to this with realert set to 5 minutes:

name: dbstatus
type: frequency
index: orachecks*
num_events: 1
timeframe:
  hours: 1
realert:
  minutes: 5
query_key: db_at_host.keyword
filter:
- query:
    query_string:
      query: "dbstatus.db_status: CLOSED AND type2.keyword: dbstatus"
alert:
- "email"
email:
- "email@doemain"