-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ElasticSearch 7.x support #2202
Comments
I've currently got a pull request trying to resolve this issue #2194 . We are currently running this branch against our ES7.0-beta1 server. If the change is accepted into the main project is unknown |
Same problem here. Worked nicely before. I hope it will be merged soon, else i have to downgrade or change component for alerts. best regards. |
Are there any updates on using elastalert on elastic 7.0? |
Hi! |
Try installing |
I've tested the version 0.2.0b2 but unfortunatly. I'm still getting the error I have been using the bitsensor/elastalert dockerfile to build an new image. Any other ideas? |
@jbecker94 Can you provide more information? In order to track down a possible bug we need to know which version of Elasticsearch you're running against so we can replicate this. Just to make sure can you compare the elastalert.py file in the docker image against the same file in tag 0.2.0b2? The complete stack trace would also be of benefit to us since we get more information of the origins of this error. |
@matsgoran I have done a little bit more troubleshooting and it is now working using the follwing commands according to bitsensor:
the only thing which isn't working is the elastalert-test-rule command. I'm not sure if this is an issue with the docker-container or the version. I used the following commands to test my rule which works under 0.1.39 but not using 0.2.0b2.
This respond in the following stackstrace:
|
@jbecker94 from what i can figure the test-rule command expects a —config parameter pointing to the elastalert configuration, there is no default for this option as far as I can tell in elastalert. Therefore my first reaction would be that this option needs to be provided by bitsensor/elastalert. FYI I may be wrong in this assesment since I'm away from the computer atm |
@matsgoran for my understanding if it runs under 0.1.39 it should also be running under 0.2.0b2. The config should be available since the exact same folders are mounted into both of the containers. I have used the exact same Dockerbuildfile as the original bitsensor-docker-image, so there should be no difference except the different elastalert-version. Hopefully in a couple of days there will be an offical bitsensor-version which fixes this issue. Most likely I have done something wrong in the build process or can anybody confirm that the test-rule command doesn't work? |
@jbecker94 Let's hope so:)The changes related to the ES7 compatibility in the beta did not touch any part of the test-rule bootstrap process |
Man, this is the most annoying kind of breaking change. Just grepping through the code I can see that these don't always appear together in a search/deprecated_search pairs. I'll go through the code and double check this gets used correctly. More context from THAT error would be useful. Elastalert-test-rule is kind of a mess, the error handling there is not great, and there's all sorts of special snowflake config being done. The |
I tried with 0.2.0b version of ElastAlert (I'm using Elastic stack 7.0 version) |
@RiteshKuchukulla Are you running 0.2.0b1 or 0.2.0b2? ES7 support was added in 0.2.0b2 |
@matsgoran |
When I try to build the beta version I get this error on Centos 7: error: urllib3 1.25.3 is installed but urllib3<1.25,>=1.20 is required by set(['botocore']) |
hi here, I read different comments about beta version working or not in 7.x, Can anyone confirm if 0.2.0b2 works? I needed to upgrade to 7.1 and since then we dont have alerting so would like to give it a try soon. |
I Just installed latest version of ELK 7.1 but ElastAlert is not working i am getting. any one got any fixed for ES7.1 |
@fpompermaier |
@shahid-dgs |
@Qmando what should I do? I just followed the build instructions |
Anyone bold enough to see if this works with 7.2 yet? |
@bangejsans No new issues seen using v0.2.0b2 and running for 12 hours. |
Hello, I have installed elastalert beta from pip, when I am trying to create index I am getting the following error message:
Note I am running elasticsearch 7.2.0 with security enabled. |
Getting the same errors as above. Is there a resolution yet to the source_includes error? |
Run python 2, use v0.2.0b2 |
Interesting. python2 is end of life in less than 6 months and we still have it as a dependency |
velocidi/elastalert this docker image works well for es 7.2 |
Has anyone run this on elasticsearch 7.10.x or 7.11.x? |
It should work. |
@nsano-rururu |
It's not Esper, so that kind of listening is frustrating. elastalert-server? |
The latest docker image should be python3.8 environment? |
@NOULeENGINEER |
It works with the latest 7.11.1, but what? |
I'm going to try your latest version on the docker hub
the version of the elasticsearch is 7.9.1 |
See the official website for the manual installation procedure. I wrote. Because I'm the maintainer. |
I have installed elasticsearch 7.0.1 and elastalert plugin. I am facing the same _source_include issue. Any fix is provided? Would have written the following documents to writeback index (default is elastalert_status): elastalert_error - {'message': "Error running query: RequestError(400, u'illegal_argument_exception', u'request [/elastic_log_qa1_*/_search] contains unrecognized parameter: [_source_include] -> did you mean any of [_source_includes, _source_excludes]?')", 'traceback': ['Traceback (most recent call last):', ' File "elastalert/elastalert.py", line 370, in get_hits', |
Please create a new issue. Also, it is difficult to answer without more detailed information about the environment. |
I upgraded my Elasticsearch installation to 7.0.0 and since then elastalert is giving errors related to "[_source_include] -> did you mean any of [_source_includes, _source_excludes]", which I assume is due to "Remove deprecated url parameters _source_include and _source_exclude #35097 (issues: #22792, #33475)" (https://www.elastic.co/guide/en/elasticsearch/reference/7.0/release-notes-7.0.0.html)
Is there in plan to make Elastalert compatible with ElasticSearch 7.0.0 anytime soon?
The text was updated successfully, but these errors were encountered: