time based Enhancements #1477
-
|
So I work with integrations, they have a connection status field. Elastic alert checks the statis every 15 mins. I use elastalert to check if the integration has failed or not by checking the integration status field for an "F". The problem is that, alot of times the integration fails for 2 cycles(30 mins) due to connection issues so I would like elastalert to alert me if the integration is on F status for three cycles. How would I make an enhancement as such, this is more of a question on the programming logic....any helpwould be appreciated....thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 14 replies
-
|
Did you consider using a frequency rule, that only alerts when the number of status=F records is > 2 in a 30 minute window? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, that actually could work, however there are quite a few integrations that are consistently F and would show up as false alerts. Due to those permanently F integrations I am using the change rule type. I was wondering if there is a variable or key that I could refer to as the count of that field in enhancements? |
Beta Was this translation helpful? Give feedback.
-
|
I was working on some code, how would I set a while loop based off the data generated in the query, if I could count the number of Fs in the data that is queried? How are the documents stored when a query is run and how can they be called? |
Beta Was this translation helpful? Give feedback.
-
|
I dount think the count is currently saved in memory, so it's likely unavailable to the enhancement. But if you are not using |
Beta Was this translation helpful? Give feedback.
-
|
okay, How would I be able to list the var from showing the data visually? if they are three seperate documents could I access them in enhancements, all three? and count them? |
Beta Was this translation helpful? Give feedback.
-
|
I mentioned above that the records are available in the |
Beta Was this translation helpful? Give feedback.
-
|
My bad I understand now, I can basically iterate over the contents of the matches variable and see if there is a string match for integration_status: F and, +=1 a counter every time there is a match. thank you |
Beta Was this translation helpful? Give feedback.
-
|
does the matches variable contain the (for example) 3 documents as 3 dictionaries within a list or is it simply one list? @jertel I am assuming its a dictionary in list because thats what makes sense would separate the data but just want to get your confirmation |
Beta Was this translation helpful? Give feedback.
I dount think the count is currently saved in memory, so it's likely unavailable to the enhancement. But if you are not using
use_count_query: truethen thematcheslist var inside of the enhancement should have the returned records from the query.