Instead of sending one alert, ElastAlert sends email for each document which mapped. Below is my rule file. It works but I want alerts in one email. Please help any suggestion will be appreciated.
skynet.yaml: |-
---
name: skynet
type: frequency
limit_execution: "0/10 * * * *"
index: wpng-httpd-perf-*
num_events: 1
top_count_keys: ["Host_Id", "Host_Group"]
timeframe:
minutes: 15
filter:
- query:
query_string:
query: "Host_Group.keyword:ZOOKEEPER_ZK1_QA"
alert:
- "email"
email_format: html
aggregation:
minutes: 15
aggregation_key: 'Host_Id'
email:
- "johndoe@skynet.com"
from_addr: "sam@skynet.com"
alert_subject: "PLOT1 at {0}."
alert_subject_args:
- "@timestamp"
alert_text: "Hi Team,<br><br/> {0} ERROR event(s) detected in last 15 minutes <br/><br>Hosts where errors are detected :</br> Host_Id is {1} <br></br><br></br> <br>Here are a few of those :</br><br> messages {2} </br><br> </br><br/><br>bye.</br><br></br><br>Thanks <br></br> "
alert_text_type: alert_text_only
alert_text_args:
- num_matches
- Host_Id
- message
- top_count_keys
Below code worked for me.
PLOTTHREE.yaml: |-
---
name: PLOTTHREE
type: frequency
limit_execution: "0/15 * * * *"
index: home-*
num_events: 1
aggregation:
minutes: 10
include:
- Host_Group
- Host_Id
timeframe:
minutes: 15
filter:
- query:
query_string:
query: "Host_Group.keyword:fatal"
alert:
- "email"
email:
- "john@doe.com"
from_addr: "yyy@doe.com"
alert_subject: "PLOTTHREE - ERROR detected in Kafka Zookeeper logs of host group fatal at {0}."
alert_subject_args:
- "@timestamp"
alert_text: "Hello Team, ERROR event(s) detected in last 15 minutes. Hosts where errors are detected in {0}. Here is the num events {1} . "
alert_text_type: alert_text_only
alert_text_args:
- Host_Id
- num_matches