elastalert icon indicating copy to clipboard operation
elastalert copied to clipboard
verified publisher icon bitsensor

Rule catches wrong documents

Open fberrez opened this issue 6 years ago • 0 comments

  • docker version: Docker version 19.03.5, build 633a0ea
  • image: bitsensor/elastalert:3.0.0-beta.0

I have the following rule:

name: Testing rule
description: Sends alerts when an error occured
index: core-*
type: frequency
timeframe:
  minutes: 1
num_events: 1
filter:
  - query:
      query_string:
        query: 'fields.metadata.code.keyword: CODE_A or fields.metadata.code.keyword: CODE_B or fields.metadata.code.keyword: CODE_C'

realert:
  minutes: 1

This rule seems to catch wrong documents when I have the following alert:

[LOG] An error occured at 2020-01-08T08:32:50.208Z
- Code: CODE_D

As we can see, it catches an elastic document which has the code CODE_D.

fberrez avatar Jan 08 '20 08:01 fberrez