Elastalert: How to run rule periodically

Question

We are using Elastalert for alerting on Elasticsearch data. I want to run a rule periodically like rule should run every hour (1AM, 2AM,... 23PM) of a day. We are using below code snippet for the same.

name: Test Alert
type: frequency
index: example-index-*
timestamp_field: '@timestamp'
timeframe:
  hours: 1 
realert:
  hours: 1
num_events: 1
use_count_query: true
doc_type: _doc
filter:
  - query:
      query_string:
        query: 'event_type: api_log'
  - range:
      responseCode:
        gte: 400
        lt: 499
alert_text_type: exclude_fields
alert:
  - slack
slack_webhook_url: "<slack_webhook_url>"
alert_subject: "Test Rule \n num_hits = {0} \n num_events = {1}"
alert_subject_args:
  - "num_hits"
  - "num_events"

Does anyone have any idea what's wrong we are doing, what changes we need to require?

Answer 1

Include run_every: 60 option in your config file or above code snippet.

Then, You can start the elastalert using argument --start <timestamp>

Example:

python -m elastalert.elastalert --verbose --start 2021-06-18T01:00:00 --rule example_frequency.yaml

The above example to start elastalert use the timestamp of format ISO8601 and is in UTC. You can use your timezone like YYYY-MM-DDTHH:MM:SS-08:00 (PST).

Note: It is not necessary to start the elastalert using the --start argument. Just including run_every option in your config will run the elastalert to query every hour.

More details here:

• run_every
• --start