search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.99k stars 1.74k forks source link

elastalert sends multiple email alerts instead of sending an aggregated email. #3104

Closed smeesheady closed 3 years ago

smeesheady commented 3 years ago

This is my elastalert rule and it works , but in 10 minutues cycle, instead of sending a one aggregated email, it send separate email for each document that matched . My global run_every alerts time is 10 minutes. Please help me soon . Thank you. skynet.yaml: |-

name: skynet
type: frequency
limit_execution: "0/10 * * * *"
index: wpng-httpd-perf-*
num_events: 1
top_count_keys: ["Host_Id", "Host_Group"]
timeframe:
  minutes: 15   
filter:
- query:
    query_string:
        query: "Host_Group.keyword:ZOOKEEPER_ZK1_QA"
alert:
- "email"
email_format: html
aggregation:
  minutes: 15
aggregation_key: 'Host_Id'
email:
- "johndoe@skynet.com"          
from_addr: "sam@skynet.com"
alert_subject: "PLOT1 at {0}."
alert_subject_args:
- "@timestamp"
alert_text: "Hi Team,<br><br/> {0} ERROR event(s) detected in last 15 minutes <br/><br>Hosts where errors are detected :</br> Host_Id is {1} <br></br><br></br> <br>Here are a few of those :</br><br> messages {2} </br><br> </br><br/><br>bye.</br><br></br><br>Thanks <br></br> "
alert_text_type: alert_text_only
alert_text_args:
- num_matches
- Host_Id
- message
- top_count_keys

skynet.txt

smeesheady commented 3 years ago

It worked when I gave like , does anyone know how to getnum_events from each Host_Id field ? I want to send how many records came each Host_Id, currently num_matches contains all the matches.

Demo.yaml: |-

name: Demo
type: frequency
limit_execution: "0/15 * * * *"
index: HHH-*
num_events: 1
attach_related: true
aggregation:
  minutes: 10
include:
  - Host_Group
  - Host_Id
timeframe:
  minutes: 15   
filter:
- query:
    query_string:
        query: "Host_Group.keyword:HELO"
alert:
- "email"
email:
- "john@Demo.com"          
from_addr: "HHSupport@Demo.com"
alert_subject: "WARINING -  logs of host group HELO at {0}"
alert_subject_args:
- "@timestamp"
alert_text: "1 out of {0} events - ERROR were detected in last 15 minutes, in zookeeper log. Host name {1}"
alert_text_type: alert_text_only
alert_text_args:
- num_matches
- Host_Id