elastalert icon indicating copy to clipboard operation
elastalert copied to clipboard

Published 20 hours ago verified publisher icon bitsensor

Old aggregation time still used when rerunning with different time

Open nyochai opened this issue 5 years ago • 0 comments

Hi, I'm running elastalert from the command line with - /usr/bin/python -m elastalert.elastalert --config /tmp/elastalert_config_file --verbose

it runs one alert - which was supposed to aggregate notifications and notify once a day

name: "<<K8S_ENV>>: Bug!"

type: frequency
index: logstash-*
num_events: 1
timeframe:
  days: 1

max_query_size: 50

run_every:
  days: 1

doc_type: doc

filter:
  - query:
      query_string:
        query: "message: \"Test Craft Core for role *\""
alert:
  - "email"

email:
  - ###

aggregation:
  days: 1

smtp_host: "smtp.gmail.com"
smtp_port: ###
from_addr: ###
smtp_auth_file: ###
smtp_ssl: true
alert_text_type: alert_text_only
alert_text: "Number of hits: {}"
alert_text_args: [num_hits]

and I changed it to run once in five minutes:

name: "<<K8S_ENV>>: Bug!"

type: frequency
index: logstash-*
num_events: 1
timeframe:
  minutes: 5

max_query_size: 50

run_every:
  minutes: 5

doc_type: doc

filter:
  - query:
      query_string:
        query: "message: \"Test Craft Core for role *\""
alert:
  - "email"

email:
  - ###

aggregation:
  minutes: 5

smtp_host: "smtp.gmail.com"
smtp_port: ###
from_addr: ###
smtp_auth_file: ###
smtp_ssl: true
alert_text_type: alert_text_only
alert_text: "Number of hits: {}"
alert_text_args: [num_hits]

but when rerunning the command line I still get notified that the next notification will be in almost 24 hours, so the aggregation is not updated

/tmp/elastalert_rules # /usr/bin/python -m elastalert.elastalert --config /tmp/elastalert_config_file --verbose
INFO:elastalert:Starting up
INFO:elastalert:Queried rule <<K8S_ENV>>: Bug! from 2020-01-13 09:13 UTC to 2020-01-13 09:16 UTC: 0 / 0 hits
INFO:elastalert:Ran <<K8S_ENV>>: Bug! from 2020-01-13 09:13 UTC to 2020-01-13 09:16 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
INFO:elastalert:Sleeping for 29.973544 seconds
INFO:elastalert:Queried rule <<K8S_ENV>>: Bug! from 2020-01-13 09:13 UTC to 2020-01-13 09:17 UTC: 1 / 1 hits
**INFO:elastalert:Adding alert for <<K8S_ENV>>: Bug! to aggregation(id: BTUGnm8BSdVvK2DDcvAg, aggregation_key: None), next alert at 2020-01-14 08:30:20.189348+00:00**

The config file which was used:

rules_folder: RULES_PATH
run_every:
  seconds: 30
buffer_time:
  minutes: 15
es_host: ELK_SERVER
es_port: 9200
highlight=send_get_body_as#transport
writeback_index: elastalert_status
alert_time_limit:
  days: 2

**Expected Behavior: ** Next alert to be in 5 minutes, messages should be aggregated I'd appreciate any kind of help, thanks in advance!

nyochai avatar Jan 13 '20 10:01 nyochai