I need to write an ElastAlert rule that aggregates the values of events. The 'value' is one of fields in the ES document. For example, I need the total of all values, or the average.
I'm new to Python so was wondering if there are examples for such rules anywhere.
For example, if you want an alert to be triggered when a specific value aggregated among documents reaches a threshold, you could implement your own rule that does that.
First create a file called elastalert_modules/my_rules.py, next to an __ init__.py file, as the documentation states.
Then in my_rules.py you can write the following:
from elastalert.ruletypes import RuleType
class CountValuesRule(RuleType):
tracked_values = ['value1', 'value2', 'value3']
counts = {key: 0 for key in tracked_values}
# From elastalert docs:
# add_data will be called each time Elasticsearch is queried.
# data is a list of documents from Elasticsearch, sorted by timestamp,
# including all the fields that the config specifies with "include"
def add_data(self, data):
def should_trigger(document):
# here decide if value in counts should trigger alert, for example:
if self.counts['value1'] > 1000
return True
return False
for document in data:
# Increment tracked values
for value in self.tracked_values:
self.counts[value] += document.get(value, 0)
if should_trigger(document):
self.add_match(document)
# Stop checking other values
break
# The results of get_match_str will appear in the alert text
def get_match_str(self, match):
return "A value has reached specified threshold. Values: %s" % (str(self.counts))
# From elastalert docs:
# garbage_collect is called indicating that ElastAlert has already been run up to timestamp
# It is useful for knowing that there were no query results from Elasticsearch because
# add_data will not be called with an empty list
def garbage_collect(self, timestamp):
pass
Finally include this custom rule in a rule you are configuring, like this:
name: Your rule name
es_host: Your host
es_port: Your port
type: "elastalert_modules.my_rules.CountValuesRule"
