Frequency rule

[pradeepgadkari]

I want to create an alert for any ERROR log received . Below is my rule

# (Required)
# Rule name, must be unique
name: Error rule

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
index: log_alert

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  minutes: 5

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- term:
    message_type: "ERROR"

If I filter kibana with message_type: "ERROR",I see error logs but there are no hits in elastalert query.

INFO:elastalert:Queried rule Error rule from 2021-05-05 10:27 W. Europe Summer Time to 2021-05-05 10:42 W. Europe Summer Time: 0 / 0 hits
INFO:elastalert:Ran Error rule from 2021-05-05 10:27 W. Europe Summer Time to 2021-05-05 10:42 W. Europe Summer Time: 0 query hits (0 already seen), 0 matches, 0 alerts sent

[jertel]

The rule appears formatted correctly. Is there any chance of a timezone mismatch? Or perhaps ElastAlert is pointing at the wrong Elasticsearch instance?

You could debug the problem by changing the index to "*" and switching from a term filter to a query_string filter of "*". Then, once you start getting hits, begin narrowing down the index and filter to help isolate the problem.

[pradeepgadkari]

I changed the term filter from message_type to message_type.keyword and it works.