Quentin Long

@tomfotherby It actually does both. It stores it locally in memory and uses that as a priority but then if there's no entry for that alert, it searches elasticsearch. https://github.com/Yelp/elastalert/blob/master/elastalert/elastalert.py#L1768...

Regarding`create_index` I guess create_index effectively becomes obsolete if you are using this feature. Unless you are trying to copy data from an old index. That should be reflected in the...

If someone wants to test this branch and report back any issues, that would be awesome. I'll reprioritize getting this out, I think I still need to add documentation, do...

There's a few things that may cause this. If you have set `realert`, then it can ignore some alerts have the first one is sent. If this was the case,...

It appears that you are running elastalert with `--debug`. This will cause elastalert to log the alert body to console instead of sending an email. It would have appeared right...

There must have been an error that is not in the logs you have shared. Can you run this command and tell me what it returns? ``` curl localhost:9200/elastalert_status/elastalert_error/_search ```

Can you share the logs and the rule YAML? If your matches occur right next to each other, it will only send the first unless you add ``` realert: minutes:...

Add the `realert` setting in my last comment and you should get all the alerts. The default is 1 minute, which prevents it from generating hundreds of alerts at once.

I can see from your logs that in a single minute, there are 405 matches. `Ran freq12345 from 12-7 14:48 IST to 12-7 14:59 IST: 1863 query hits, 405 matches,...

`from_addr: [email protected]` This is something that varies per SMTP server. Some, when given a "from" address without a domain, will append it's own domain. Some, apparently, will return this error....