elastalart rules : can i make or condition in filters using wild card

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch

https://elastalert.readthedocs.org

Apache License 2.0

7.97k stars 1.73k forks source link

elastalart rules : can i make or condition in filters using wild card #3236

Open amribrahim opened 2 years ago

amribrahim commented 2 years ago

Hello i need to make the following filter in elastalert rule

filter:
- query:
    wildcard:
      url.domain: "apis*" OR  url.domain: "test*"
- term:
    monitor.status: "up"

so i need to test that url.domain start with apis keyword or test keyword, but when i test the rule it give error in or condition so how can i solve this issue

Thanks

himaniraghav3 commented 2 years ago

Hello! I referred to the elastalert docs for writing rules and found this query that matches your problem:

   - query:  
       query_string:  
         query: "field: value OR otherfield: othervalue"

So, why don't you enclose the whole thing inside url.domain in double quotes? Let's see if that works