Fetching last seen document for flatline alert #1386
Replies: 1 comment 1 reply
-
|
There are currently no plans to implement that feature. But if you're interested in contributing the work and completing the pull request (PR) requirements, as specified in the Contribution Guidelines, then yes we certainly could get it into the product. The work itself requires an in-depth knowledge of the Python language, a reasonable understanding of the Elasticsearch API (such as knowing how to limit the query results to only include the single most recent match), being able to handle edge cases such as if there is no document found (could have been deleted, or outside the query time range, etc), and requires the ability to write Python unit tests, including a thorough understanding of mocks. Fortunately if you are somewhat knowledgeable in these areas you can probably look at the existing code to quickly get up to speed, as there is already code in ElastAlert 2 that performs queries, limits result sizes, and uses mocks within unit tests. |
Beta Was this translation helpful? Give feedback.
-
|
I see, I do have knowledge of python, and elastisearch API, however have not performed unit tests or mocks before so let me have a look at those methods first and get back to you, thanks for the response! |
Beta Was this translation helpful? Give feedback.
-
I am using flatline alert, it works fine, notifies fine.
I was wondering if there was a way to call the fields from the last seen documents and if not if there were plans to implement that as I can see there are a bunch of people asking about missing fields in flatline rule. If there are no plans, maybe I could take a look at it, how would that process go?
This is my first time trying to collaborate so not sure how it goes.
thanks
Beta Was this translation helpful? Give feedback.
All reactions