I am using ElastAlert to notify my consumers if an error occurs in past 10 mins. I want to send list of errors which occurred. But the items in the list are split into two if there is hyphen ('-') present in errorCode
This is result I want
errorCode:
error1: 10
error-place-2: 15
error-new-place-3: 20
This is result I am getting
erorrCode:
error1: 10
error: 35
place: 35
2: 15
new: 20
3: 20
Is there a way to get the desired results?
Update - adding results of index mappings
{
"indexdate":{
"mappings":{
"app_log":{
"properties":{
},
"transaction_log":{
"properties":{
"@timestamp":{
"type":"date",
"format":"strict_date_optional_time||epoch_millis"
},
"other":{
},
"errorCode":{
"type":"string"
},
"other":{
},
}
}
}
}
}
You need to make sure that your errorCode field is not_analyzed as it doesn't seem to be the case, hence why your error codes are split.
You can modify your mapping like this:
curl -XPUT localhost:9200/indexdate/_mapping/transaction_log -d '{
"properties": {
"errorCode":{
"type":"string",
"fields": {
"raw": {
"type": "string",
"index": "not_analyzed"
}
}
}
}
}'
After making this change, you need to reindex your data in order to populate the errorCode.raw field.
Then you'll need to use errorCode.raw in your ElastAlert config instead of errorCode