Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams # How often ElastAlert will query Elasticsearch # The unit can be anything from weeks to seconds run_every: minutes: 1 es_host: localhost es_port: 9200 index: metricbeat-* buffer_time: hours: 1 metric_agg_key: system.cpu.user.pct metric_agg_type: avg query_key: beat.hostname doc_type: metricsets bucket_interval: minutes: 5 sync_bucket_interval: true #allow_buffer_time_overlap: true #use_run_every_query_size: true min_threshold: 0.5 filter: - range: system.cpu.user.pct: from: 0.05 to: 0.07 # (Required) # The alert is use when a match is found alert: - "email" # (required, email specific) # a list of email addresses to send alerts to email: - "chiangpohlin@newict.com"

I think the rule works fine because when I try to test it by running elastalert-test-rule test.yaml , I get this:

Successfully loaded Metricbeat
Got 155 hits from the last 1 day
Available terms in first hit:
        beat.hostname
        beat.name
        beat.version
        @timestamp
        metricset.rtt
        metricset.name
        metricset.module
        system.cpu.softirq.pct
        system.cpu.iowait.pct
        system.cpu.system.pct
        system.cpu.idle.pct
        system.cpu.user.pct
        system.cpu.irq.pct
        system.cpu.steal.pct
        system.cpu.nice.pct
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
                To send them but remain verbose, use --verbose instead.
INFO:elastalert:Alert for Metricbeat, SenzoServer at 2018-03-20T03:25:00Z:
INFO:elastalert:Metricbeat
Threshold violation, avg:system.cpu.user.pct 0.053 (min: 0.5 max : None)
@timestamp: 2018-03-20T03:25:00Z
beat.hostname: SenzoServer
num_hits: 155
num_matches: 16
system.cpu.user.pct_avg: 0.053
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
Would have written the following documents to writeback index (default is elastalert_status):
silence - {'rule_name': u'Metricbeat.SenzoServer', '@timestamp': datetime.datetime(2018, 3, 20, 4, 38, 38, 277518, tzinfo=tzutc()), 'exponent': 0, 'until': datetime.datetime(2018, 3, 20, 4, 39, 38, 277508, tzinfo=tzutc())}
elastalert_status - {'hits': 155, 'matches': 16, '@timestamp': datetime.datetime(2018, 3, 20, 4, 38, 38, 279438, tzinfo=tzutc()), 'rule_name': 'Metricbeat', 'starttime': datetime.datetime(2018, 3, 19, 4, 38, 38, 173884, tzinfo=tzutc()), 'endtime': datetime.datetime(2018, 3, 20, 4, 38, 38, 173884, tzinfo=tzutc()), 'time_taken': 0.09930419921875}
So then I try to run it using python -m elastalert.elastalert --verbose --rule test.yaml, and I get this :
Traceback (most recent call last):
  File "/usr/lib/python2.7/runpy.py", line 162, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/elastalert.py", line 1856, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/elastalert.py", line 1850, in main
    client = ElastAlerter(args)
  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/elastalert.py", line 130, in __init__
    self.conf = load_rules(self.args)
  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/config.py", line 433, in load_rules
    conf = yaml_loader(filename)
  File "/usr/local/lib/python2.7/dist-packages/staticconf/loader.py", line 167, in yaml_loader
    with open(filename) as fh:
IOError: [Errno 2] No such file or directory: 'config.yaml'
Is it something wrong with my elastalert installation? I tried install requirements.txt already not working.
                hey guys i was able to solved by running :  python -m elastalert.elastalert --verbose --rule  example_rules/example_frequency.yaml --config config.yaml.example with cd elastalert find whole server theres no config.yaml file. but found and used config.yaml.example , it works :D
– Poh Lin
                Mar 20, 2018 at 10:27
                ^ Please add your solution to the answer box below (there's a button to answer your own question).
– halfer
                Mar 20, 2018 at 13:10
elastalert need a config file to connect with ES and load other attributes. elastalert-Test comes with its own config file (config.yaml.example)
To solve the issue, please make a copy of config.yaml.example and rename it to config.yaml. Make necessary changes in config.yaml and things will fall into place.
Thanks
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.