Replies: 3 comments
-
Adding |
Beta Was this translation helpful? Give feedback.
-
I just tried to reproduce this but my response in ElastAlert2 is returning the aggregations key. This is using the Kibana sample data.
I suggest enabling full debug logging to get a deeper understanding of what's happening in ElastAlert 2. |
Beta Was this translation helpful? Give feedback.
-
omg, it was a permission problem: the user credential used by Elastalert did not have the permission to access this particular index. I have opened a PR for the documentation to point to this potential source of problems: #1324 |
Beta Was this translation helpful? Give feedback.
-
I stumbled upon a problem when using a
flatline
alert in combination withquery_key
. This is executed against ElasticSearch 8.5.Created Python virtualenv and executed
python setup.py install
from the Elastalert 2.15.0 git branch.First, the rule:
Using
elastalert-test-rule
, this does not return any results for a time window that should trigger the alert.I added some additional debug logging to elastalert.py.
The relevant query that is being executed is as follows:
The result does not contain an
aggregations
key and will therefore hit theif 'aggregations' not in res:
branch (elastalert2.py:511)Now comes the interesting part: if I execute the same query from the Kibana development console:
I will get a result that contains an
aggregations
key:It seems there is an option either in the
self.thread_data.current_es
object or somewhere else that prevents aggregation results from being returned.Any ideas?
Beta Was this translation helpful? Give feedback.
All reactions