search

jertel / elastalert2

ElastAlert 2 is a continuation of the original yelp/elastalert project. Pull requests are appreciated!
https://elastalert2.readthedocs.org
Apache License 2.0
859 stars 277 forks source link

The rules matched, but for some reason they were silenced #1484

Closed wangchao732 closed 2 weeks ago

wangchao732 commented 2 weeks ago

INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent. To send them but remain verbose, use --verbose instead. INFO:elastalert:Note: --debug and --verbose flags are set. --debug takes precedent. INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent. To send them but remain verbose, use --verbose instead. INFO:elastalert:1 rules loaded INFO:elastalert:Starting up INFO:elastalert:Disabled rules are: [] INFO:elastalert:Sleeping for 179.999932 seconds INFO:elastalert:Queried rule Prod Rule from 2024-07-03 09:44 CST to 2024-07-03 09:55 CST: 7 / 7 hits INFO:elastalert:Skipping writing to ES: {'exponent': 0, 'rule_name': 'Prod Rule', '@timestamp': '2024-07-03T01:55:01.913510Z', 'until': '2024-07-03T02:55:01.913494Z'} INFO:elastalert:Alert for Prod Rule at 2024-07-03T01:46:27.992Z: INFO:elastalert:Prod Rule

@timestamp: 2024-07-03T01:46:27.992Z @version: 1 _id: f6JFdpABVEXVlDRlp-VL _index: k8slog-2024.07.03 fields: { "namespace": "dapr-application", "source": "k8slog" } host: { "name": "xxx " } log: { "file": { "path": "/var/log/containers/iot-data-transfer-consumer-5f6b6f78dd-knlbd_dapr-application_iot-data-transfer-consumer-6161781c35975c64e2326deccabd83870319569b7bd9de44f6d81e9d8c8e2d1e.log" }, "offset": 44427593 } message: 2024-07-03 09:46:27.992 ERROR 1 --- [adThread-363667] com.taosdata.jdbc.ws.WSClient : code : 1000 , reason: remote:false wsclient:com.xxx.jdbc.ws.WSClient@2e45bc63 num_hits: 7 num_matches: 7 stream: stdout tags: [ "_grokparsefailure" ]

INFO:elastalert:Ignoring match for silenced rule Prod Rule INFO:elastalert:Ignoring match for silenced rule Prod Rule INFO:elastalert:Ignoring match for silenced rule Prod Rule INFO:elastalert:Ignoring match for silenced rule Prod Rule INFO:elastalert:Ignoring match for silenced rule Prod Rule INFO:elastalert:Ignoring match for silenced rule Prod Rule INFO:elastalert:Skipping writing to ES: {'rule_name': 'Prod Rule', 'endtime': '2024-07-03T01:55:01.614606Z', 'starttime': '2024-07-03T01:44:52.793036Z', 'matches': 7, 'hits': 7, '@timestamp': '2024-07-03T01:55:01.914528Z', 'time_taken': 0.29988765716552734} INFO:elastalert:Ran Prod Rule from 2024-07-03 09:44 CST to 2024-07-03 09:55 CST: 7 query hits (0 already seen), 7 matches, 0 alerts sent INFO:elastalert:Prod Rule range 608

/data/py3/bin/python3 -m elastalert.elastalert --config config.yaml --verbose --debug

--config.yaml rules_folder: rules/ run_every: minutes: 3 buffer_time: minutes: 15 es_host: xxx es_port: 9200 es_username: elastic es_password: xxx use_ssl: true verify_certs: True server.ssl.enabled: true elasticsearch.ssl.certificateAuthorities: [ "xxx" ] ca_certs: xxx client_cert: /xxx client_key: xxx writeback_index: elastalert_status alert:

-- rule

name: Prod Rule type: any index: xx* num_events: 1 timeframe: minutes: 5 filter:

wangchao732 commented 2 weeks ago

py3/bin/elastalert-test-rule rules/prod.yaml --config config.yaml --alert

The message was successfully received.

wangchao732 commented 2 weeks ago

It looks like the whole rule has been silenced. 1719978664991 1719978665001

jertel commented 2 weeks ago

If you don't want it silenced, why do you specify realert of 1 hour? image

Also, please read #11 and format your messages appropriately. It's difficult to read them without proper formatting.