Elasticsearch query malformed when rule.yaml uses 2 space indentation

[cliftbar]

When rule files are indented with 2 spaces (the yaml suggested indentation), queries become malformed with the error message:

WARNING:elasticsearch:GET http://elasticsearch:9200/logstash*/_search?_source_include=%40timestamp%2C%2A&ignore_unavailable=true&scroll=30s&size=10000 [status:400 request:0.156s]

ERROR:root:Error running query: RequestError(400, u'parsing_exception', u'[query_string] malformed query, expected [END_OBJECT] but found [FIELD_NAME]')

Example rule.yml which caused the issue, moving to 4 space indentation fixes the rule:

name: Test Rule
alert_text: "Test Rule"
type: frequency

index: logstash*

num_events: 1
timeframe:
  minutes: 1

filter:
  - query:
    query_string:
      query: '*'

alert:
  - slack
slack_webhook_url: "https://hooks.slack.com/services/XXXXX/XXXXX"

I'm using the docker image bitsensor/elastalert:2.0.1 as a base, with the following dockerfile (it has the unpinned elasticsearch version fix):

FROM bitsensor/elastalert:2.0.1
RUN apk add --update --no-cache py2-pip
RUN pip install elasticsearch==6.3.1

[pdreker]

Holy #@$% you just saved my sanity...

Can confirm with current master from git: Works:

filter:
    - query:
        query_string:
            query: "system.auth.ssh.event: Accepted"

Doesn't work:

filter:
  - query:
    query_string:
      query: "system.auth.ssh.event: Accepted"