/usr/share/doc/elastalert/html/elastalert.html is in elastalert-doc 0.1.28-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 | <!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>ElastAlert - Easy & Flexible Alerting With Elasticsearch — ElastAlert 0.0.1 documentation</title>
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="index" title="Index"
href="genindex.html"/>
<link rel="search" title="Search" href="search.html"/>
<link rel="top" title="ElastAlert 0.0.1 documentation" href="index.html"/>
<link rel="next" title="Running ElastAlert for the First Time" href="running_elastalert.html"/>
<link rel="prev" title="ElastAlert - Easy & Flexible Alerting With Elasticsearch" href="index.html"/>
<script src="_static/js/modernizr.min.js"></script>
</head>
<body class="wy-body-for-nav" role="document">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search">
<a href="index.html" class="icon icon-home"> ElastAlert
</a>
<div class="version">
0.0.1
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<ul class="current">
<li class="toctree-l1 current"><a class="current reference internal" href="#">ElastAlert - Easy & Flexible Alerting With Elasticsearch</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#overview">Overview</a></li>
<li class="toctree-l2"><a class="reference internal" href="#reliability">Reliability</a></li>
<li class="toctree-l2"><a class="reference internal" href="#modularity">Modularity</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#rule-types">Rule types</a></li>
<li class="toctree-l3"><a class="reference internal" href="#alerts">Alerts</a></li>
<li class="toctree-l3"><a class="reference internal" href="#enhancements">Enhancements</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#configuration">Configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="#running-elastalert">Running ElastAlert</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="running_elastalert.html">Running ElastAlert for the First Time</a></li>
<li class="toctree-l1"><a class="reference internal" href="ruletypes.html">Rule Types and Configuration Options</a></li>
<li class="toctree-l1"><a class="reference internal" href="elastalert_status.html">ElastAlert Metadata Index</a></li>
<li class="toctree-l1"><a class="reference internal" href="recipes/adding_rules.html">Adding a New Rule Type</a></li>
<li class="toctree-l1"><a class="reference internal" href="recipes/adding_alerts.html">Adding a New Alerter</a></li>
<li class="toctree-l1"><a class="reference internal" href="recipes/writing_filters.html">Writing Filters For Rules</a></li>
<li class="toctree-l1"><a class="reference internal" href="recipes/adding_enhancements.html">Enhancements</a></li>
<li class="toctree-l1"><a class="reference internal" href="recipes/signing_requests.html">Signing requests to Amazon Elasticsearch service</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" role="navigation" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">ElastAlert</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html">Docs</a> »</li>
<li>ElastAlert - Easy & Flexible Alerting With Elasticsearch</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/elastalert.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<div class="section" id="elastalert-easy-flexible-alerting-with-elasticsearch">
<h1>ElastAlert - Easy & Flexible Alerting With Elasticsearch<a class="headerlink" href="#elastalert-easy-flexible-alerting-with-elasticsearch" title="Permalink to this headline">¶</a></h1>
<p>ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.</p>
<p>At Yelp, we use Elasticsearch, Logstash and Kibana for managing our ever increasing amount of data and logs.
Kibana is great for visualizing and querying data, but we quickly realized that it needed a companion tool for alerting
on inconsistencies in our data. Out of this need, ElastAlert was created.</p>
<p>If you have data being written into Elasticsearch in near real time and want to be alerted when that data matches certain patterns, ElastAlert is the tool for you.</p>
<div class="section" id="overview">
<h2>Overview<a class="headerlink" href="#overview" title="Permalink to this headline">¶</a></h2>
<p>We designed ElastAlert to be <a class="reference internal" href="#reliability"><span class="std std-ref">reliable</span></a>, highly <a class="reference internal" href="#modularity"><span class="std std-ref">modular</span></a>, and easy to <a class="reference internal" href="running_elastalert.html#tutorial"><span class="std std-ref">set up</span></a> and <a class="reference internal" href="#configuration"><span class="std std-ref">configure</span></a>.</p>
<p>It works by combining Elasticsearch with two types of components, rule types and alerts.
Elasticsearch is periodically queried and the data is passed to the rule type, which determines when
a match is found. When a match occurs, it is given to one or more alerts, which take action based on the match.</p>
<p>This is configured by a set of rules, each of which defines a query, a rule type, and a set of alerts.</p>
<p>Several rule types with common monitoring paradigms are included with ElastAlert:</p>
<ul class="simple">
<li>“Match where there are X events in Y time” (<code class="docutils literal"><span class="pre">frequency</span></code> type)</li>
<li>“Match when the rate of events increases or decreases” (<code class="docutils literal"><span class="pre">spike</span></code> type)</li>
<li>“Match when there are less than X events in Y time” (<code class="docutils literal"><span class="pre">flatline</span></code> type)</li>
<li>“Match when a certain field matches a blacklist/whitelist” (<code class="docutils literal"><span class="pre">blacklist</span></code> and <code class="docutils literal"><span class="pre">whitelist</span></code> type)</li>
<li>“Match on any event matching a given filter” (<code class="docutils literal"><span class="pre">any</span></code> type)</li>
<li>“Match when a field has two different values within some time” (<code class="docutils literal"><span class="pre">change</span></code> type)</li>
</ul>
<p>Currently, we have support built in for these alert types:</p>
<ul class="simple">
<li>Command</li>
<li>Email</li>
<li>JIRA</li>
<li>OpsGenie</li>
<li>SNS</li>
<li>HipChat</li>
<li>Slack</li>
<li>Telegram</li>
<li>Debug</li>
<li>Stomp</li>
</ul>
<p>Additional rule types and alerts can be easily imported or written. (See <a class="reference internal" href="recipes/adding_rules.html#writingrules"><span class="std std-ref">Writing rule types</span></a> and <a class="reference internal" href="recipes/adding_alerts.html#writingalerts"><span class="std std-ref">Writing alerts</span></a>)</p>
<p>In addition to this basic usage, there are many other features that make alerts more useful:</p>
<ul class="simple">
<li>Alerts link to Kibana dashboards</li>
<li>Aggregate counts for arbitrary fields</li>
<li>Combine alerts into periodic reports</li>
<li>Separate alerts by using a unique key field</li>
<li>Intercept and enhance match data</li>
</ul>
<p>To get started, check out <a class="reference internal" href="running_elastalert.html#tutorial"><span class="std std-ref">Running ElastAlert For The First Time</span></a>.</p>
</div>
<div class="section" id="reliability">
<span id="id1"></span><h2>Reliability<a class="headerlink" href="#reliability" title="Permalink to this headline">¶</a></h2>
<p>ElastAlert has several features to make it more reliable in the event of restarts or Elasticsearch unavailability:</p>
<ul class="simple">
<li>ElastAlert <a class="reference internal" href="elastalert_status.html#metadata"><span class="std std-ref">saves its state to Elasticsearch</span></a> and, when started, will resume where previously stopped</li>
<li>If Elasticsearch is unresponsive, ElastAlert will wait until it recovers before continuing</li>
<li>Alerts which throw errors may be automatically retried for a period of time</li>
</ul>
</div>
<div class="section" id="modularity">
<span id="id2"></span><h2>Modularity<a class="headerlink" href="#modularity" title="Permalink to this headline">¶</a></h2>
<p>ElastAlert has three main components that may be imported as a module or customized:</p>
<div class="section" id="rule-types">
<h3>Rule types<a class="headerlink" href="#rule-types" title="Permalink to this headline">¶</a></h3>
<p>The rule type is responsible for processing the data returned from Elasticsearch. It is initialized with the rule configuration, passed data
that is returned from querying Elasticsearch with the rule’s filters, and outputs matches based on this data. See <a class="reference internal" href="recipes/adding_rules.html#writingrules"><span class="std std-ref">Writing rule types</span></a>
for more information.</p>
</div>
<div class="section" id="alerts">
<h3>Alerts<a class="headerlink" href="#alerts" title="Permalink to this headline">¶</a></h3>
<p>Alerts are responsible for taking action based on a match. A match is generally a dictionary containing values from a document in Elasticsearch,
but may contain arbitrary data added by the rule type. See <a class="reference internal" href="recipes/adding_alerts.html#writingalerts"><span class="std std-ref">Writing alerts</span></a> for more information.</p>
</div>
<div class="section" id="enhancements">
<h3>Enhancements<a class="headerlink" href="#enhancements" title="Permalink to this headline">¶</a></h3>
<p>Enhancements are a way of intercepting an alert and modifying or enhancing it in some way. They are passed the match dictionary before it is given
to the alerter. See <a class="reference internal" href="recipes/adding_enhancements.html#enhancements"><span class="std std-ref">Enhancements</span></a> for more information.</p>
</div>
</div>
<div class="section" id="configuration">
<span id="id3"></span><h2>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h2>
<p>ElastAlert has a global configuration file, <code class="docutils literal"><span class="pre">config.yaml</span></code>, which defines several aspects of its operation:</p>
<p><code class="docutils literal"><span class="pre">buffer_time</span></code>: ElastAlert will continuously query against a window from the present to <code class="docutils literal"><span class="pre">buffer_time</span></code> ago.
This way, logs can be back filled up to a certain extent and ElastAlert will still process the events. This
may be overridden by individual rules. This option is ignored for rules where <code class="docutils literal"><span class="pre">use_count_query</span></code> or <code class="docutils literal"><span class="pre">use_terms_query</span></code>
is set to true. Note that back filled data may not always trigger count based alerts as if it was queried in real time.</p>
<p><code class="docutils literal"><span class="pre">es_host</span></code>: The host name of the Elasticsearch cluster where ElastAlert records metadata about its searches.
When ElastAlert is started, it will query for information about the time that it was last run. This way,
even if ElastAlert is stopped and restarted, it will never miss data or look at the same events twice. It will also specify the default cluster for each rule to run on.
The environment variable <code class="docutils literal"><span class="pre">ES_HOST</span></code> will override this field.</p>
<p><code class="docutils literal"><span class="pre">es_port</span></code>: The port corresponding to <code class="docutils literal"><span class="pre">es_host</span></code>. The environment variable <code class="docutils literal"><span class="pre">ES_PORT</span></code> will override this field.</p>
<p><code class="docutils literal"><span class="pre">use_ssl</span></code>: Optional; whether or not to connect to <code class="docutils literal"><span class="pre">es_host</span></code> using TLS; set to <code class="docutils literal"><span class="pre">True</span></code> or <code class="docutils literal"><span class="pre">False</span></code>.
The environment variable <code class="docutils literal"><span class="pre">ES_USE_SSL</span></code> will override this field.</p>
<p><code class="docutils literal"><span class="pre">verify_certs</span></code>: Optional; whether or not to verify TLS certificates; set to <code class="docutils literal"><span class="pre">True</span></code> or <code class="docutils literal"><span class="pre">False</span></code>. The default is <code class="docutils literal"><span class="pre">True</span></code>.</p>
<p><code class="docutils literal"><span class="pre">client_cert</span></code>: Optional; path to a PEM certificate to use as the client certificate.</p>
<p><code class="docutils literal"><span class="pre">client_key</span></code>: Optional; path to a private key file to use as the client key.</p>
<p><code class="docutils literal"><span class="pre">ca_certs</span></code>: Optional; path to a CA cert bundle to use to verify SSL connections</p>
<p><code class="docutils literal"><span class="pre">es_username</span></code>: Optional; basic-auth username for connecting to <code class="docutils literal"><span class="pre">es_host</span></code>. The environment variable <code class="docutils literal"><span class="pre">ES_USERNAME</span></code> will override this field.</p>
<p><code class="docutils literal"><span class="pre">es_password</span></code>: Optional; basic-auth password for connecting to <code class="docutils literal"><span class="pre">es_host</span></code>. The environment variable <code class="docutils literal"><span class="pre">ES_PASSWORD</span></code> will override this field.</p>
<p><code class="docutils literal"><span class="pre">es_url_prefix</span></code>: Optional; URL prefix for the Elasticsearch endpoint.</p>
<p><code class="docutils literal"><span class="pre">es_send_get_body_as</span></code>: Optional; Method for querying Elasticsearch - <code class="docutils literal"><span class="pre">GET</span></code>, <code class="docutils literal"><span class="pre">POST</span></code> or <code class="docutils literal"><span class="pre">source</span></code>. The default is <code class="docutils literal"><span class="pre">GET</span></code></p>
<p><code class="docutils literal"><span class="pre">es_conn_timeout</span></code>: Optional; sets timeout for connecting to and reading from <code class="docutils literal"><span class="pre">es_host</span></code>; defaults to <code class="docutils literal"><span class="pre">10</span></code>.</p>
<p><code class="docutils literal"><span class="pre">rules_folder</span></code>: The name of the folder which contains rule configuration files. ElastAlert will load all
files in this folder, and all subdirectories, that end in .yaml. If the contents of this folder change, ElastAlert will load, reload
or remove rules based on their respective config files.</p>
<p><code class="docutils literal"><span class="pre">scan_subdirectories</span></code>: Optional; Sets whether or not ElastAlert should recursively descend the rules directory - <code class="docutils literal"><span class="pre">true</span></code> or <code class="docutils literal"><span class="pre">false</span></code>. The default is <code class="docutils literal"><span class="pre">true</span></code></p>
<p><code class="docutils literal"><span class="pre">run_every</span></code>: How often ElastAlert should query Elasticsearch. ElastAlert will remember the last time
it ran the query for a given rule, and periodically query from that time until the present. The format of
this field is a nested unit of time, such as <code class="docutils literal"><span class="pre">minutes:</span> <span class="pre">5</span></code>. This is how time is defined in every ElastAlert
configuration.</p>
<p><code class="docutils literal"><span class="pre">writeback_index</span></code>: The index on <code class="docutils literal"><span class="pre">es_host</span></code> to use.</p>
<p><code class="docutils literal"><span class="pre">max_query_size</span></code>: The maximum number of documents that will be downloaded from Elasticsearch in a single query. The
default is 10,000, and if you expect to get near this number, consider using <code class="docutils literal"><span class="pre">use_count_query</span></code> for the rule. If this
limit is reached, ElastAlert will <a class="reference external" href="https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-scroll.html">scroll</a> through pages the size of <code class="docutils literal"><span class="pre">max_query_size</span></code> until processing all results.</p>
<p><code class="docutils literal"><span class="pre">scroll_keepalive</span></code>: The maximum time (formatted in <a class="reference external" href="https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#time-units">Time Units</a>) the scrolling context should be kept alive. Avoid using high values as it abuses resources in Elasticsearch, but be mindful to allow sufficient time to finish processing all the results.</p>
<p><code class="docutils literal"><span class="pre">max_aggregation</span></code>: The maximum number of alerts to aggregate together. If a rule has <code class="docutils literal"><span class="pre">aggregation</span></code> set, all
alerts occuring within a timeframe will be sent together. The default is 10,000.</p>
<p><code class="docutils literal"><span class="pre">old_query_limit</span></code>: The maximum time between queries for ElastAlert to start at the most recently run query.
When ElastAlert starts, for each rule, it will search <code class="docutils literal"><span class="pre">elastalert_metadata</span></code> for the most recently run query and start
from that time, unless it is older than <code class="docutils literal"><span class="pre">old_query_limit</span></code>, in which case it will start from the present time. The default is one week.</p>
<p><code class="docutils literal"><span class="pre">disable_rules_on_error</span></code>: If true, ElastAlert will disable rules which throw uncaught (not EAException) exceptions. It
will upload a traceback message to <code class="docutils literal"><span class="pre">elastalert_metadata</span></code> and if <code class="docutils literal"><span class="pre">notify_email</span></code> is set, send an email notification. The
rule will no longer be run until either ElastAlert restarts or the rule file has been modified. This defaults to True.</p>
<p><code class="docutils literal"><span class="pre">notify_email</span></code>: An email address, or list of email addresses, to which notification emails will be sent. Currently,
only an uncaught exception will send a notification email. The from address, SMTP host, and reply-to header can be set
using <code class="docutils literal"><span class="pre">from_addr</span></code>, <code class="docutils literal"><span class="pre">smtp_host</span></code>, and <code class="docutils literal"><span class="pre">email_reply_to</span></code> options, respectively. By default, no emails will be sent.</p>
<p><code class="docutils literal"><span class="pre">from_addr</span></code>: The address to use as the from header in email notifications.
This value will be used for email alerts as well, unless overwritten in the rule config. The default value
is “ElastAlert”.</p>
<p><code class="docutils literal"><span class="pre">smtp_host</span></code>: The SMTP host used to send email notifications. This value will be used for email alerts as well,
unless overwritten in the rule config. The default is “localhost”.</p>
<p><code class="docutils literal"><span class="pre">email_reply_to</span></code>: This sets the Reply-To header in emails. The default is the recipient address.</p>
<p><code class="docutils literal"><span class="pre">aws_region</span></code>: This makes ElastAlert to sign HTTP requests when using Amazon Elasticsearch Service. It’ll use instance role keys to sign the requests.
The environment variable <code class="docutils literal"><span class="pre">AWS_DEFAULT_REGION</span></code> will override this field.</p>
<p><code class="docutils literal"><span class="pre">boto_profile</span></code>: Deprecated! Boto profile to use when signing requests to Amazon Elasticsearch Service, if you don’t want to use the instance role keys.</p>
<p><code class="docutils literal"><span class="pre">profile</span></code>: AWS profile to use when signing requests to Amazon Elasticsearch Service, if you don’t want to use the instance role keys.
The environment variable <code class="docutils literal"><span class="pre">AWS_DEFAULT_PROFILE</span></code> will override this field.</p>
<p><code class="docutils literal"><span class="pre">replace_dots_in_field_names</span></code>: If <code class="docutils literal"><span class="pre">True</span></code>, ElastAlert replaces any dots in field names with an underscore before writing documents to Elasticsearch.
The default value is <code class="docutils literal"><span class="pre">False</span></code>. Elasticsearch 2.0 - 2.3 does not support dots in field names.</p>
<p><code class="docutils literal"><span class="pre">string_multi_field_name</span></code>: If set, the suffix to use for the subfield for string multi-fields in Elasticsearch.
The default value is <code class="docutils literal"><span class="pre">.raw</span></code> for Elasticsearch 2 and <code class="docutils literal"><span class="pre">.keyword</span></code> for Elasticsearch 5.</p>
</div>
<div class="section" id="running-elastalert">
<span id="runningelastalert"></span><h2>Running ElastAlert<a class="headerlink" href="#running-elastalert" title="Permalink to this headline">¶</a></h2>
<p><code class="docutils literal"><span class="pre">$</span> <span class="pre">python</span> <span class="pre">elastalert/elastalert.py</span></code></p>
<p>Several arguments are available when running ElastAlert:</p>
<p><code class="docutils literal"><span class="pre">--config</span></code> will specify the configuration file to use. The default is <code class="docutils literal"><span class="pre">config.yaml</span></code>.</p>
<p><code class="docutils literal"><span class="pre">--debug</span></code> will run ElastAlert in debug mode. This will increase the logging verboseness, change
all alerts to <code class="docutils literal"><span class="pre">DebugAlerter</span></code>, which prints alerts and suppresses their normal action, and skips writing
search and alert metadata back to Elasticsearch. Not compatible with <cite>–verbose</cite>.</p>
<p><code class="docutils literal"><span class="pre">--verbose</span></code> will increase the logging verboseness, which allows you to see information about the state
of queries. Not compatible with <cite>–debug</cite>.</p>
<p><code class="docutils literal"><span class="pre">--start</span> <span class="pre"><timestamp></span></code> will force ElastAlert to begin querying from the given time, instead of the default,
querying from the present. The timestamp should be ISO8601, e.g. <code class="docutils literal"><span class="pre">YYYY-MM-DDTHH:MM:SS</span></code> (UTC) or with timezone
<code class="docutils literal"><span class="pre">YYYY-MM-DDTHH:MM:SS-08:00</span></code> (PST). Note that if querying over a large date range, no alerts will be
sent until that rule has finished querying over the entire time period. To force querying from the current time, use “NOW”.</p>
<p><code class="docutils literal"><span class="pre">--end</span> <span class="pre"><timestamp></span></code> will cause ElastAlert to stop querying at the specified timestamp. By default, ElastAlert
will periodically query until the present indefinitely.</p>
<p><code class="docutils literal"><span class="pre">--rule</span> <span class="pre"><rule.yaml></span></code> will only run the given rule. The rule file may be a complete file path or a filename in <code class="docutils literal"><span class="pre">rules_folder</span></code>
or its subdirectories.</p>
<p><code class="docutils literal"><span class="pre">--silence</span> <span class="pre"><unit>=<number></span></code> will silence the alerts for a given rule for a period of time. The rule must be specified using
<code class="docutils literal"><span class="pre">--rule</span></code>. <unit> is one of days, weeks, hours, minutes or seconds. <number> is an integer. For example,
<code class="docutils literal"><span class="pre">--rule</span> <span class="pre">noisy_rule.yaml</span> <span class="pre">--silence</span> <span class="pre">hours=4</span></code> will stop noisy_rule from generating any alerts for 4 hours.</p>
<p><code class="docutils literal"><span class="pre">--es_debug</span></code> will enable logging for all queries made to Elasticsearch.</p>
<p><code class="docutils literal"><span class="pre">--es_debug_trace</span> <span class="pre"><trace.log></span></code> will enable logging curl commands for all queries made to Elasticsearch to the
specified log file. <code class="docutils literal"><span class="pre">--es_debug_trace</span></code> is passed through to <a class="reference external" href="http://elasticsearch-py.readthedocs.io/en/master/index.html#logging">elasticsearch.py</a> which logs <cite>localhost:9200</cite>
instead of the actual <code class="docutils literal"><span class="pre">es_host</span></code>:<code class="docutils literal"><span class="pre">es_port</span></code>.</p>
<p><code class="docutils literal"><span class="pre">--end</span> <span class="pre"><timestamp></span></code> will force ElastAlert to stop querying after the given time, instead of the default,
querying to the present time. This really only makes sense when running standalone. The timestamp is formatted
as <code class="docutils literal"><span class="pre">YYYY-MM-DDTHH:MM:SS</span></code> (UTC) or with timezone <code class="docutils literal"><span class="pre">YYYY-MM-DDTHH:MM:SS-XX:00</span></code> (UTC-XX).</p>
<p><code class="docutils literal"><span class="pre">--pin_rules</span></code> will stop ElastAlert from loading, reloading or removing rules based on changes to their config files.</p>
</div>
</div>
</div>
<div class="articleComments">
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="running_elastalert.html" class="btn btn-neutral float-right" title="Running ElastAlert for the First Time" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
<a href="index.html" class="btn btn-neutral" title="ElastAlert - Easy & Flexible Alerting With Elasticsearch" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
© Copyright 2018, Yelp.
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT:'./',
VERSION:'0.0.1',
COLLAPSE_INDEX:false,
FILE_SUFFIX:'.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<script type="text/javascript" src="_static/js/theme.js"></script>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.StickyNav.enable();
});
</script>
</body>
</html>
|