Elastalert: Alert triggered string not configured in Rule

[SY185098]

Hi,

Elastalert is deployed on a kubernetes cluster using helm. Used these charts to deploy elastalert: https://github.com/helm/charts/tree/master/stable/elastalert

Configured a rule with query as follows: rule.yaml

filter:
- query:
    query_string:
      query: "msg: Process Failed, XXXX"

Issue 1 : Alert is getting triggered even for string "YYYY, Process Failed". Please advice if the above configuration requires any change to get alert for only configured string. Issue 2 : Can someone suggest a way to configure multiple stings in a single query. Here we are trying to configure around 15 strings from two different index patterns. Need help on configuring two rules, each for a particular index pattern with respective strings in those rules.

Thanks, Sai Teja.

[kb185177]

Can we get some updates here?

[tq185007]

Resources pulled from: https://lucene.apache.org/core/2_9_4/queryparsersyntax.html#Field%20Grouping https://github.com/Yelp/elastalert

For Issue 1: Can't say for sure without testing, but the format should be "msg: Process Failed,*" where the apostrophe notates that multiple characters can be placed in its place. For filtering by specific variable/value combinations instead of querying, use the following:

• term: foo: "Test Document"

For Issue 2: Try using AND/OR commands similar to the apache documentation and the examples from the github readme. The two examples that I've found were: query: "foo: bar AND baz: abc*" title:(+return +"pink panther")