I am using elastalert HEAD as of today.
I am using this rule:
es_host: *******
es_port: 443
use_ssl: True
name: Mike Learning Two
type: spike
index: cwl-*
threshold: 2
timeframe:
minutes: 1
spike_height: 2
spike_type: "up"
filter:
- query:
query_string:
query: "status:404"
alert:
- "debug"
And it does indeed detect spikes. But sometimes it alerts with this message:
INFO:elastalert:Alert for Mike Learning Two at 2016-03-30T08:27:52.137927Z:
INFO:elastalert:Mike Learning Two
An abnormal number (0) of events occurred around 2016-03-30 08:27 UTC.
Preceding that time, there were only 0 events within 0:01:00
@timestamp: 2016-03-30T08:27:52.137927Z
reference_count: 0
spike_count: 0
Am I doing something wrong or is this a bug?
After getting no answer from SO, I posted an issue on the Elastalert Github.
https://github.com/Yelp/elastalert/issues/455
Their answer was:
Yeah. I guess this is sort of a bug. You should set either threshold_ref or threshold_cur instead of threshold. The example rule is outdated and incorrect and not setting either value should result in an error. My fault for neglecting it as the config format changed.