Two rules have the same context, but only one of them is firing an alert. #1280

eveningcafe · 2023-09-25T10:39:07Z

eveningcafe
Sep 25, 2023

Hi, in my ElastAlert rules folder, I have two rules with exactly the same meaning and syntax, only the names are different, and I got only one firing:

rule1.yaml

type: frequency
use_terms_query: true
index: 53471_b1e0d5db-fc4c-4465-86fb-8d4cf7e36220*
name: 030d56aacc99ec79_b8ea32340e1f978c
alert: alertmanager
alertmanager_alertname: 030d56aacc99ec79_b8ea32340e1f978c
alertmanager_fields:
  resource_value: clientip.keyword
alertmanager_labels:
  resource_name: clientip.keyword
alertmanager_resolve_time:
  minutes: 2
buffer_time:
  minutes: 1
filter:
  - bool:
      adjust_pure_negative: true
      boost: 1
      must:
        - bool:
            adjust_pure_negative: true
            boost: 1
            must:
              - match_phrase:
                  '@version.keyword':
                    boost: 1
                    query: "1"
                    slop: 0
                    zero_terms_query: NONE

num_events: 3
query_delay:
  seconds: 10
query_key: clientip.keyword
realert:
  minutes: 1
terms_size: 1000
timeframe:
  minutes: 1

and rule2.yaml

type: frequency
use_terms_query: true
index: 53471_b1e0d5db-fc4c-4465-86fb-8d4cf7e36220*
name: 6f291e09368d9236_3d599a521b6e5b04
alert: alertmanager
alertmanager_alertname: 6f291e09368d9236_3d599a521b6e5b04
alertmanager_fields:
  resource_value: clientip.keyword
alertmanager_labels:
  resource_name: clientip.keyword
alertmanager_resolve_time:
  minutes: 2
buffer_time:
  minutes: 1
filter:
  - bool:
      adjust_pure_negative: true
      boost: 1
      must:
        - bool:
            adjust_pure_negative: true
            boost: 1
            must:
              - match_phrase:
                  '@version.keyword':
                    boost: 1
                    query: "1"
                    slop: 0
                    zero_terms_query: NONE

num_events: 3
query_delay:
  seconds: 10
query_key: clientip.keyword
realert:
  minutes: 1
terms_size: 1000
timeframe:
  minutes: 1

It only fires alert of the rule name '030d56aacc99ec79_b8ea32340e1f978c' when I expect it to fire both. Is that normal or abnormal, and why?

P.S.: when I deleted the file 'rule1,' and the other rule is firing. :(

Answered by jertel

Sep 25, 2023

Does the log show that it is loading both? If so, does the log show that both are running and making queries? Enable debug logging if necessary.

View full answer

jertel · 2023-09-25T10:45:29Z

jertel
Sep 25, 2023
Maintainer

Does the log show that it is loading both? If so, does the log show that both are running and making queries? Enable debug logging if necessary.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Two rules have the same context, but only one of them is firing an alert. #1280

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Two rules have the same context, but only one of them is firing an alert. #1280

eveningcafe Sep 25, 2023

Replies: 1 comment

jertel Sep 25, 2023 Maintainer

eveningcafe
Sep 25, 2023

jertel
Sep 25, 2023
Maintainer