Range timestamp filter
Nib0ort opened this issue · 0 comments
Nib0ort commented
Hello
I want this rule to send me an email when elastalert detect at least 5 times in less 10 secondes a certain type of log containing a string of characters.
Here my rule, but I dont get email with 6 logs sent in less 10 secondes.
I'm using this command to send logs :
logger -t corosync is down
`
es_host: ip
es_port: port
name: TEST
type: frequency
index: filebeat-*
filter:
- query_string:
query: "message:"is down"" - range:
"@timestamp":
gte: "now-10s/s"
timeframe:
seconds: 10
is_enabled: true
num_events: 5
alert: - "email"
alert_text_type: alert_text_only
alert_text: |
Link is down on host {0}
See full message : {1}
THIS IS A TEST MESSAGE
alert_text_args: ["host.name", "message"]
alert_subject: "[ElastAlert] PROXMOX : Link down alert"
from_addr: "addresse"
email: - "myemail"
smtp_host: smtp_host
smtp_port: smtp_port
smtp_auth_file: smtp_auth.yaml
smtp_ssl: false
`
Thanks for helping