3

I am trying to write an elast alert for the condition: If there is no log coming from an application for 5 minutes, it should raise an alert. I tried the following rule but it is not working. Is there something I am missing in the syntax or the query? 

nextrulename: DevopsNoLogs
index: logstash-*
type: flatline
threshold: 1
timeframe:
  seconds: 1
filter:
- query:
    query_string:
      query: '@module_tag:devops'
alert: my_alerts.AlertManager
labels:  
  alertsrc: elasticsearch
  kafka: 'true'
  slack: 'true'
  severity: critical
  host_impacted: vcmts-all
  wikilink: https://etwiki.sys.comcast.net/display/NGAN/DAA+Operations  
annotations:
  summary: alert is fired if there are no logs in kibana from RLCM Dashboard component for a duration of 5m.
Taher A. Ghaleb
  • 5,120
  • 5
  • 31
  • 44
Arnav Bose
  • 791
  • 4
  • 13
  • 27
  • Flatline will only alert if there's atleast 1 hit, if you get 0 hits (no logs) it will not alert you. That's sort of the limitation of flatline rule. https://github.com/Yelp/elastalert/issues/1137#issuecomment-305851850 – Abhishek Jaisingh Mar 12 '19 at 17:45
  • @AbhishekJaisingh so is there any way to alert when there is no log for a specified time period? Is it possible with elastalert? – H.Ç.T Nov 20 '19 at 16:04
  • 2
    It seems that my previous comment was incorrect, it was clarified later by the author of ElastAlert in another comment: https://github.com/Yelp/elastalert/issues/1137#issuecomment-352892394 I have found that flatline works as expected in production – Abhishek Jaisingh Nov 21 '19 at 17:54

0 Answers0