Creating a flatline alert type using the ElastAlert framework.
When I use the query in the Kibana UI with the exact same syntax it returns results, but ElastAlert isn't returning any results.
Here's my elastalert-rule-file.xml
name: Test Flatline
type: flatline
run_every:
seconds: 15
relalert:
minutes: 0
es_host: localhost
es_port: 9200
threshold: 1
timeframe:
minutes: 5
index: my-index-*
filter:
- query:
query_string:
query: "_type:metric" # this returns results in both kibana and elastalert
#query: "_type:metric AND _exists_:My\ Field\ With\ Spaces.value" # this returns results in kibana but not in elastalert
timestamp_type: unix_ms
alert:
- command
command: ["my-bash-script.sh"]
So I tried play around with the query and if I just specify _type:metric then the search results in Kibana seem to match those in ElastAlert.
However when I attempt to use the query with the _exists_ lucene syntax in the second query ElastAlert doesn't return anything while Kibana seems to be fine with the syntax.
Any ideas?
I got it...just forgot to post an answer.
Apparently for the field with spaces you need to escape the backslashes so the line in question would look like this:
query: "_type:metric AND _exists_:My\\ Field\\ With\\ Spaces.value"
Furthermore, in the special case where you are using Ansible (YAML) configuration you need to add a backslash to escape each backslash.
So the entry in a YAML file would look something like this:
query: "My\\\\ field\\\\ With\\\\ Spaces.value"