3

I am creating an application where I need to send a mail with elastalert. When I run command python -m elastalert.elastalert --verbose --rule myrules\myrule.yaml to trigger the rule, I am having an exception as follows:

:\ELK_Info\ElastAlert\elastalert-master>python -m elastalert.elastalert --verbose --rule myrules\myrule.yaml
INFO:elastalert:Starting up
WARNING:elasticsearch:GET http://localhost:9200/elastalert_status_status/elastalert/_search?size=1000 [status:400 request:0.034s]
ERROR:root:Error finding recent pending alerts: RequestError(400, u'search_phase_execution_exception', u'No mapping found for [alert_time] in order to sort on'){'sort': {'alert_time': {'order': 'asc'}}, 
'query': {'bool': {'filter': {'range': {'alert_time': {'to': '2018-09-10T06:09:15.858Z', 'from': '2018-09-08T06:09:15.858Z'}}}, 
'must': {'query_string': {'query': '!_exists_:aggregate_id AND alert_sent:false'}}}}}
Traceback (most recent call last):File "D:\ELK_Info\ElastAlert\elastalert-master\elastalert\elastalert.py", line 1522, in find_recent_pending_alerts size=1000)
File "C:\Python27\lib\site-packages\elasticsearch\client\utils.py", line 76, in _wrapped
return func(*args, params=params, **kwargs)
File "C:\Python27\lib\site-packages\elasticsearch\client\__init__.py", line 66
0, in search doc_type, '_search'), params=params, body=body)
File "C:\Python27\lib\site-packages\elasticsearch\transport.py", line 318, in
perform_request
status, headers_response, data = connection.perform_request(method, url, par
ams, body, headers=headers, ignore=ignore, timeout=timeout)
File "C:\Python27\lib\site-packages\elasticsearch\connection\http_requests.py"
, line 90, in perform_request self._raise_error(response.status_code, raw_data)
File "C:\Python27\lib\site-packages\elasticsearch\connection\base.py", line 12
5, in _raise_error raise HTTP_EXCEPTIONS.get(status_code, TransportError)(status_code, error_me
ssage, additional_info)
RequestError: RequestError(400, u'search_phase_execution_exception', u'No mappin
g found for [alert_time] in order to sort on')
INFO:elastalert:Queried rule Log Level Test from 2018-09-10 11:39 India Standard
 Time to 2018-09-10 11:39 India Standard Time: 0 / 0 hits
INFO:elastalert:Ran Log Level Test from 2018-09-10 11:39 India Standard Time to
2018-09-10 11:39 India Standard Time: 0 query hits (0 already seen), 0 matches,
0 alerts sent
INFO:elastalert:Sleeping for 1.844 seconds
INFO:elastalert:SIGINT received, stopping ElastAlert...

No mapping found for [alert_time] in order to sort on

http://localhost:9200/elastalert_status_status/_mapping/elastalert_status

Output of this API is as follows:

{
    "elastalert_status_status": {
        "mappings": {
            "elastalert_status": {
                "properties": {
                    "@timestamp": {
                        "type": "date"
                    },
                    "endtime": {
                        "type": "date"
                    },
                    "hits": {
                        "type": "long"
                    },
                    "matches": {
                        "type": "long"
                    },
                    "rule_name": {
                        "type": "text",
                        "fields": {
                            "keyword": {
                                "type": "keyword",
                                "ignore_above": 256
                            }
                        }
                    },
                    "starttime": {
                        "type": "date"
                    },
                    "time_taken": {
                        "type": "float"
                    }
                }
            }
        }
    }
}

Rule file content:

es_host: localhost
es_port: 9200
name: Log Level Test
type: frequency
index: testindexv4
num_events: 1
timeframe:
   hours: 4
filter:
 - term:
     log_level.keyword: "ERROR"
 - query:
     query_string:
       query: "log_level.keyword: ERROR"
alert:
- "email"
email:
- "<mailId>@gmail.com"

any idea to solve the same please?

Deva
  • 1,039
  • 1
  • 14
  • 40
  • Can you provide the mapping you get from `curl -XGET http://localhost:9200/elastalert_status_status/_mapping/elastalert` ? – Val Sep 10 '18 at 06:57
  • Hi @Val , please see updated question. Instead of API 'http://localhost:9200/elastalert_status_status/_mapping/elastalert' I have called 'http://localhost:9200/elastalert_status_status/_mapping/elastalert_status'. Looks like there is no mapping for 'alert_time' there. Can you please give me some reference for the same? – Deva Sep 10 '18 at 07:09
  • Please also share your rule file – Val Sep 10 '18 at 07:38
  • @Val Added rule file in question itself, please check. – Deva Sep 10 '18 at 08:43
  • @Val I hit the API as you mentioned in the comment and got the response as below. Can you explain in nutshell? `{"error":"no handler found for uri [/elastalert_status_status/_mapping/elastalert] and method [GET]"}` – Andrew Nov 03 '22 at 05:55
  • @Andrew very old question for a very old ES version. Specific mapping types are not supported anymore as of ES 7. What version of ES and Elastalert are you running? – Val Nov 03 '22 at 06:22
  • I'm using es version 8.x. However the API has changed with the version update. I just figured it out. There should be `_doc` in API instaed of `_mapping`. btw thanks for the help. – Andrew Nov 03 '22 at 09:49

0 Answers0