Merge branch 'master' of https://github.com/Yelp/elastalert

docs/source/elastalert.rst

@@ -167,6 +167,8 @@ from that time, unless it is older than ``old_query_limit``, in which case it wi
 will upload a traceback message to ``elastalert_metadata`` and if ``notify_email`` is set, send an email notification. The
 rule will no longer be run until either ElastAlert restarts or the rule file has been modified. This defaults to True.
 
+``show_disabled_rules``: If true, ElastAlert show the disable rules' list when finishes the execution. This defaults to True.
+
 ``notify_email``: An email address, or list of email addresses, to which notification emails will be sent. Currently,
 only an uncaught exception will send a notification email. The from address, SMTP host, and reply-to header can be set
 using ``from_addr``, ``smtp_host``, and ``email_reply_to`` options, respectively. By default, no emails will be sent.

elastalert/elastalert.py

@@ -43,12 +43,12 @@
 from util import replace_dots_in_field_names
 from util import seconds
 from util import set_es_key
+from util import should_scrolling_continue
 from util import total_seconds
 from util import ts_add
 from util import ts_now
 from util import ts_to_dt
 from util import unix_to_dt
-from util import should_scrolling_continue
 
 
 class ElastAlerter(object):
@@ -132,6 +132,7 @@ def __init__(self, args):
         self.replace_dots_in_field_names = self.conf.get('replace_dots_in_field_names', False)
         self.string_multi_field_name = self.conf.get('string_multi_field_name', False)
         self.add_metadata_alert = self.conf.get('add_metadata_alert', False)
+        self.show_disabled_rules = self.conf.get('show_disabled_rules', True)
 
         self.writeback_es = elasticsearch_client(self.conf)
 
@@ -438,7 +439,7 @@ def get_hits_count(self, rule, starttime, endtime, index):
     def get_hits_terms(self, rule, starttime, endtime, index, key, qk=None, size=None):
         rule_filter = copy.copy(rule['filter'])
         if qk:
-            qk_list = qk.split(", ")
+            qk_list = qk.split(",")
             end = None
             if rule['five']:
                 end = '.keyword'
@@ -1110,6 +1111,10 @@ def start(self):
             if next_run < datetime.datetime.utcnow():
                 continue
 
+            # Show disabled rules
+            if self.show_disabled_rules:
+                elastalert_logger.info("Disabled rules are: %s" % (str(self.get_disabled_rules())))
+
             # Wait before querying again
             sleep_duration = total_seconds(next_run - datetime.datetime.utcnow())
             self.sleep_for(sleep_duration)
@@ -1202,6 +1207,10 @@ def stop(self):
         """ Stop an ElastAlert runner that's been started """
         self.running = False
 
+    def get_disabled_rules(self):
+        """ Return disabled rules """
+        return [rule['name'] for rule in self.disabled_rules]
+
     def sleep_for(self, duration):
         """ Sleep for a set duration """
         elastalert_logger.info("Sleeping for %s seconds" % (duration))

elastalert/opsgenie.py

@@ -81,7 +81,11 @@ def alert(self, matches):
             post['teams'] = [{'name': r, 'type': 'team'} for r in self.teams]
         post['description'] = body
         post['source'] = 'ElastAlert'
+
+        for i, tag in enumerate(self.tags):
+            self.tags[i] = tag.format(**matches[0])
         post['tags'] = self.tags
+
         if self.priority and self.priority not in ('P1', 'P2', 'P3', 'P4', 'P5'):
             logging.warn("Priority level does not appear to be specified correctly. \
                          Please make sure to set it to a value between P1 and P5")

example_rules/example_spike_single_metric_agg.yaml

@@ -6,6 +6,9 @@ type: spike_aggregation
 
 index: metricbeat-*
 
+timeframe:
+  hours: 4
+
 buffer_time:
   hours: 1