search

jertel / elastalert2

ElastAlert 2 is a continuation of the original yelp/elastalert project. Pull requests are appreciated!
https://elastalert2.readthedocs.org
Apache License 2.0
931 stars 287 forks source link

Why can't it run automatically? elastalert-test-rule is successful. #1150

Closed aogg closed 1 year ago

aogg commented 1 year ago

curl -H 'Content-Type: application/json' -XPOST 'http://localhost:9200/elastalert_status/_search?pretty&size=1000' -d '{ "query": { "bool": { "filter": { "range": { "alert_time": { "from": "2023-03-27T07:41:52.763398Z", "to": "2023-03-29T07:41:52.763430Z" } } }, "must": { "query_string": { "query": "!exists:aggregate_id AND alert_sent:false" } } } }, "sort": { "alert_time": { "order": "asc" } } }' elastalert@034cbb8a00aa:~$ ./run.sh --debug --es_debug --es_debug_trace /tmp/c.log

The index pointed to by writeback_index is empty

aogg commented 1 year ago 
    job = self.scheduler.add_job(self.handle_rule_execution, 'interval',
                                 args=[new_rule],
                                 seconds=new_rule['run_every'].total_seconds(),
                                 id=new_rule['name'],
                                 name="Rule: %s" % (new_rule['name']),
                                 max_instances=1,
                                 jitter=5)

                                 why not run
aogg commented 1 year ago 
is_enabled: true
name: "nginx_filebeat"
type: frequency
index: filebeat-*
# use_strftime_index: true
filter:
- bool:
      must_not:
        match_phrase:
          "url.original": "/favicon.ico"
- bool:
    must:
      - range:
          "http.response.status_code":
            gt: 400
      - exists:
          field: "url.original"

# - query:
#     query_string:
#       query: "http.response.status_code> 400 and url.original: *"
query_key: 
  - "log.file.path"
  - "url.original"
num_events: 1
threshold:
  minutes: 1
  hits: 2
  # hits: 1
# 查询时间范围
timeframe:
  minutes: 1
aogg commented 1 year ago 

rules_folder: /opt/elastalert/rules

run_every:
  seconds: 10

buffer_time:
  minutes: 15

es_host: elasticsearch
es_port: 9200
es_username: b
es_password: a

writeback_index: elastalert_status

# alert_time_limit:
#   days: 2
jertel commented 1 year ago

What is inside of run.sh?

Paste the debug logs. Be sure to redact anything sensitive.

aogg commented 1 year ago

run in docker

mkdir -p /data/docker/elastalert2/rules;\
touch /data/docker/elastalert2/elastalert.yaml;\
docker rm -f elastalert2;\
docker run -d --restart=always --name elastalert2 --network common-all \
-v /data/docker/elastalert2/elastalert.yaml:/opt/elastalert/config.yaml \
-v /data/docker/elastalert2/rules:/opt/elastalert/rules \
-v /usr/share/zoneinfo/PRC:/etc/localtime \
jertel/elastalert2:2 --verbose --debug

log,not error

INFO:elastalert:Background configuration change check run at 2023-03-30 04:21 CST
INFO:elastalert:Background alerts thread 0 pending alerts sent at 2023-03-30 04:21 CST
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 9.999892 seconds
INFO:elastalert:Background configuration change check run at 2023-03-30 04:22 CST
INFO:elastalert:Background alerts thread 0 pending alerts sent at 2023-03-30 04:22 CST
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 9.999877 seconds
jertel commented 1 year ago

The log looks fine. What is the problem?

jertel commented 1 year ago

Closing due to lack of follow-up. Can re-open if submitter chooses to continue the investigation.

zhushiyang commented 9 months ago

I also encountered this issue. How did you solve it?

jertel commented 9 months ago

Please start your own topic and follow the instructions in #11.