我正在尝试使用 Elastalert 使用一个简单的规则,但它似乎无法正常运行。我的规则是:
# Elasticsearch host
es_host: elasticsearch
# The elasticsearch port
es_port: 9200
name: dzd_count_zero
type: any
index: logstash-*
filter:
- term:
project: "drop_zone_dub"
- terms:
name: ["s3_count", "dzd_nas_pcount"]
alert:
- "email"
email:
- "myemail@m.com"
当我进行调试时,我得到:
elastalert:Ran dzd_count_zero from 2016-03-02 13:59 UTC to 2016-03-02 17:59 UTC: 16 query hits, 0 matches, 0 alerts sent
如果规则为“任何”,则应提醒任何查询命中,但如您所见,并非如此。有任何想法吗?