I'm testing elastalert using the command 'elastalert-test-rule'.
And, I got the error message.
elastalert_error - {'message': "Error running query: RequestError(400, 'search_phase_execution_exception', 'No mapping found for [@timestamp]
in order to sort on')",
(omission)
raise HTTP_EXCEPTIONS.get(status_code, TransportError)(', "elasticsearch.exceptions.RequestError: RequestError(400, 'search_phase_execution_exception', 'No mapping found for [@timestamp] in order to sort on')"],
'data': {'rule': 'test',
'query': {'query': {'bool': {'filter': {'bool': {'must': [{'range': {'@timestamp': {'gt': '2022-03-10T09:03:31.454969Z', 'lte': '2022-03-10T09:08:34.454969Z'}}}, \
{'query_string': {'query': '_type: pi_endpointincidentlogdata'}}, \
{'query_string': {'query': 'elog_logtype: 1'}}, {'query_string':
{'query': 'elog_loggroup: 32 OR elog_loggroup: 64'}}, {'query_string': {'query': '_exists_ : elog_patterinfo.elog_patternname'}}, \
{'range': {'elog_createtime': {'gte': '2022-01-03 10:33:00', 'lte': '2022-01-03 10:37:00'}}}]}}}},
'sort': [{'@timestamp': {'order': 'asc'}}]}}}
I cannot understand the error because I didn't declare the @timestamp range and sort in the filter.
This is my rule file
> name: test
> type: frequency
> index: pi_202202*
> num_events: 1
> timeframe:
> minutes: 5
>
> filter:
> - query:
> query_string:
> query: "_type: pi_endpointincidentlogdata"
> - query:
> query_string:
> query: "elog_logtype: 1"
> - query:
> query_string:
> query: "elog_loggroup: 32 OR elog_loggroup: 64"
> - query:
> query_string:
> query: "_exists_ : elog_patterinfo.elog_patternname"
> - range:
> elog_createtime:
> gte: "2022-01-03 10:33:00"
> lte: "2022-01-03 10:37:00"
>
> alert:
> - "email"
How can I solve the problem?
This is because ElastAlert uses the @timestamp field by default to sort your data.
You can change that in the timestamp_field configuration and use another field that is present in your data.