search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
8k stars 1.74k forks source link

Elastalert - alert command not run #710

Open jerem97 opened 8 years ago

jerem97 commented 8 years ago

I try to test a simple rule to start a command shell when an event occurs. Below is the content of the rule and the screen output with one matches and 0 alerts sent.

Someone would have any idea ?

es_host: elasticsearch Elasticsearch port es_port: 443 use_ssl: True es_url_prefix: logs

name: "Test rule"

type: frequency index: alias-sys

num_events: 1

timeframe: minutes: 2 realert: minutes: 0

filter: - query: query_string: query: "programname:\"Synchrony\" AND syslog_severity_code:3" - command command: - /bin/script.sh pipe_match_json: true use_strftime_index: true

**INFO:elastalert:Skipping writing to ES: {'hits': 1, 'matches': 1, '@timestamp': '2016-09-15T08:36:17.869838Z', 'rule_name': 'Test rule', 'starttime': '2016-09-15T08:21:17.402977Z', 'endtime': '2016-09-15T08:36:17.402977Z', 'time_taken': 0.4668440818786621} INFO:elastalert:Ran Test rule from 2016-09-15 10:21 CEST to 2016-09-15 10:36 CEST: 1 query hits, 1 matches, 0 alerts sent INFO:elastalert:Sleeping for 59 seconds**

oallart commented 7 years ago

aren't you missing the 

alert:
  - command

section ?

Qmando commented 7 years ago

If it says Skipping writing to ES that means you are running it with --debug or using elastalert-test-rule. Use --verbose instead of --debug.