search

bitsensor / elastalert

ElastAlert that exposes REST API's for manipulating rules and alerts
https://bitsensor.io/
Other
367 stars 216 forks source link

ERROR elastalert-server #195

Open xiahuhu1 opened 3 years ago

xiahuhu1 commented 3 years ago

Version Info

kibana version: 7.9.0 elasticsearch: 7.9.0 elastalert: 3.0.0-beta.0

Docker Run

#!/bin/bash
docker stop elastalert
docker rm -f elastalert

docker run -d \
    -p 3030:3030 \
    -v `pwd`/config/elastalert.yaml:/opt/elastalert/config.yaml \
    -v `pwd`/config/config.json:/opt/elastalert-server/config/config.json \
    -v `pwd`/rules:/opt/elastalert/rules \
    -v `pwd`/rule_templates:/opt/elastalert/rule_templates \
    -v `pwd`/smtp_auth_file.yaml:/opt/elastalert/smtp_auth_file.yaml \
    --net="host" \
    --name elastalert \
    --restart=always \
    bitsensor/elastalert:3.0.0-beta.0

Config.json

 "es_host": "10.0.0.51",
  "es_port": 9200,
  "writeback_index": "elastalert_status"

Elastalert.yaml

I've revised the elastalert.yaml file:

es_host: 10.0.0.51

# The elasticsearch port
es_port: 9200

# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: rules

Error logs

12:08:18.521Z ERROR elastalert-server:
    ProcessController:  WARNING:elasticsearch:GET http://10.0.0.51:9200/elastalert_status/_search?size=1000 [status:400 request:0.003s]

12:08:18.522Z ERROR elastalert-server:
    ProcessController:  ERROR:root:Error finding recent pending alerts: RequestError(400, u'search_phase_execution_exception', u'No mapping found for [alert_time] in order to sort on') {'sort': {'alert_time': {'order': 'asc'}}, 'query': {'bool': {'filter': {'range': {'alert_time': {'to': '2020-12-25T12:08:18.518372Z', 'from': '2020-12-23T12:08:18.518346Z'}}}, 'must': {'query_string': {'query': '!_exists_:aggregate_id AND alert_sent:false'}}}}}
    Traceback (most recent call last):
      File "/opt/elastalert/elastalert/elastalert.py", line 1604, in find_recent_pending_alerts
        res = self.writeback_es.search(index=self.writeback_index, body=query, size=1000)
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/client/utils.py", line 84, in _wrapped
        return func(*args, params=params, **kwargs)
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/client/__init__.py", line 818, in search
        "GET", _make_path(index, "_search"), params=params, body=body
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/transport.py", line 353, in perform_request
        timeout=timeout,
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/connection/http_requests.py", line 143, in perform_request
        self._raise_error(response.status_code, raw_data)
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/connection/base.py", line 168, in _raise_error
        status_code, error_message, additional_info
    RequestError: RequestError(400, u'search_phase_execution_exception', u'No mapping found for [alert_time] in order to sort on')

And the elasticsearch server is normal,Please tell me how to solve this problem.

Looking forward to your reply,thanks!!

zza210 commented 2 years ago

See _'No mapping found for [alerttime] in order to sort on', it means something went wrong when elastalert creating index (likely caused by previous elastalert start failure). Just delete the existing elastalert_* indices auto created by elastalert in your elasticsearch cluster and restart elastalert.