You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An incorrect silence cache key is created, ignoring any query key fields, when the following circumstances occur:
elastalert2 > 2.18.0
"realert" is set in the rule,
compound query key (i.e. created from multiple query key fields) is configured in the rule,
any query key field refers to an array, that means square brackets are used in at least one of the field names of the compound query key (e.g. "array[0]field")
The silence cache key written to ES contains only the rule name, and completely ignores query key fields. This leads to a situation where all alerts coming from the rule, regardless of query keys, are ignored during the configured time.
Expected result
The silence cache key written to ES contains the rule name and combined values of the compound query key. Only the alerts that match the same query key values are suppressed.
Investigation
The error appears when calling a method get_query_key_value:
In case the above circumstances happen, get_query_key_value always return None, that leads to alert suppression not working properly.
The workaround for handling compound query keys that existed in the old version of _find_es_dict_by_key unfortunately has not been implemented in the new function:
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Description
An incorrect silence cache key is created, ignoring any query key fields, when the following circumstances occur:
Example rule
Result
The silence cache key written to ES contains only the rule name, and completely ignores query key fields. This leads to a situation where all alerts coming from the rule, regardless of query keys, are ignored during the configured time.
Expected result
The silence cache key written to ES contains the rule name and combined values of the compound query key. Only the alerts that match the same query key values are suppressed.
Investigation
The error appears when calling a method get_query_key_value:
elastalert2/elastalert/elastalert.py
Line 908 in 70bc1d8
because of a new implementation of _find_es_dict_by_key function, that is indirectly used by the get_query_key_value method:
elastalert2/elastalert/util.py
Line 47 in d400d00
In case the above circumstances happen, get_query_key_value always return None, that leads to alert suppression not working properly.
The workaround for handling compound query keys that existed in the old version of _find_es_dict_by_key unfortunately has not been implemented in the new function:
elastalert2/elastalert/util.py
Lines 68 to 81 in 3b4608c
Please fix the _find_es_dict_by_key function, so it also accepts the compound query key with arrays (square brackets)
Beta Was this translation helpful? Give feedback.
All reactions