1 min readJan 25, 2021
ElastAlerts how to use aggregation?
Without the aggregation, email alert will only have num_events count and the last received message of the alert if we use without aggregation.
ZerodontTrigger.yaml: |----name: ZerodontTriggertype: frequencylimit_execution: "0/2 * * * *"index: wen-*num_events: 0timeframe:minutes: 120filter:- query:match_all : {}alert:- "email"email:- "hhh@dddd.com"from_addr: "hhh@john.com"alert_subject: "Checck that alert is trgigerging at {0} for zero num_events message is {1}"alert_subject_args:- "@timestamp"- messagealert_text: "Hooray num events zero triggers alert OK"
However, using aggregation, we can send Host_Id and num_matches could be send via alert. Limitation is message value can’ t be passed , it will be printed as missing value.
PLOTTHREE.yaml: |-
---
name: PLOTTHREE
type: frequency
limit_execution: "0/15 * * * *"
index: home-*
num_events: 1
aggregation:
minutes: 10
include:
- Host_Group
- Host_Id
timeframe:
minutes: 15
filter:
- query:
query_string:
query: "Host_Group.keyword:fatal"
alert:
- "email"
email:
- "john@doe.com"
from_addr: "yyy@doe.com"
alert_subject: "PLOTTHREE - ERROR detected in Kafka Zookeeper logs of host group fatal at {0}."
alert_subject_args:
- "@timestamp"
alert_text: "Hello Team, ERROR event(s) detected in last 15 minutes. Hosts where errors are detected in {0}. Here is the num events {1} . "
alert_text_type: alert_text_only
alert_text_args:
- Host_Id
- num_matchesAlso if the emails to be send separately based on the value of Host_Id, use aggregation_key : “Host_Id” . Add this line to the existing code.
