Querying multiple indices

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch

https://elastalert.readthedocs.org

Apache License 2.0

8k stars 1.73k forks source link

Querying multiple indices #843

Open AviralSri opened 7 years ago

AviralSri commented 7 years ago

I am using elasticsearch, topbeat and packetbeat. I need to query topbeat- and packetbeat- in the same rule file. How the filters will be separated by index?? OR The filters will be queried against both indexes??

Qmando commented 7 years ago

Just comma separate them

index: topbeat,packetbeat

AviralSri commented 7 years ago

Hi,

I already tried with as you replied. My rule file is as follows:-

es_port: 9200
index: topbeat-*,packetbeat-*
smtp_host: ismtp.corp.company.com
es_host: xx.xx.xx.xx
realert:
  minutes: 5
alert: email
timeframe:
  minutes: 30
type: frequency
from_addr: abc@email.com
num_events: 1
email: ["kpr@email.com"]
name: multiple_indices
filter:
 - range:
    fs.used_p:
      from: 0.50
      to: 1
 - term:
    beat.hostname: server1
 - term:
    http.code: 200
 - term:
    beat.hostname: server2

My question is how the elastalert will know fs.used_p and beat.hostname: server1 will be queried against topbeat- AND http.code:200 and beat.hostname: server2 will be queried against packetbeat-

Qmando commented 7 years ago

How about

filter:
 - or:
    - and:
      - range:
          fs.used_p:
            from: 0.50
             to: 1
      - term:
           beat.hostname: server1
    - and 
      - term:
           http.code: 200
      - term:
           beat.hostname: server2

AviralSri commented 7 years ago

Hi,

filter: - or: - and: - range: fs.used_p: from: 0.50 - term: beat.hostname: server1 - term: fs.device_name: D:\ - and: - term: http.code: 200 - term: beat.hostname: server2

I have tried the filer but when I get emails it is containing information only about packetbeat-* index , where server2 is having http.code more than 1 in last 30 minutes. No mention of server1 where fs.used_p is 0.91 for fs.device_name: D:. I have cross checked it in kibana.

Can you provide me a link for writing filters and using these and, not and or in more complicated scenarios.

Qmando commented 7 years ago

Have you tried removing packetbeat and see if anything matches the other index? You can either use something like elastalert-test-rule --days=7 file.yaml or elastalert --verbose --start 2016-12-08 to query over an entire week at a time just to see if you get any matches.