datetime.now() gives the correct time only once in an enhancement module #448

K0WALSKl · 2021-09-05T07:15:20Z

K0WALSKl
Sep 5, 2021

Hi!

Thanks to jertel's Advice in this discussion, I've managed to edit the text_body of my email thanks to an enhancement.

Since then it works fine but the time never changes now. If I start my Elastalert docker container at, let's say 08:12:34, the time given with the function datetime.now() will always be 08:12:34, even if it is 13:34:00.
This seems to be a bug, should I open an issue ?

Just in case, here is my module :

import datetime
import re

from elastalert.enhancements import BaseEnhancement

class addTimeFromText(BaseEnhancement):
    def process(self, match):
        current_date = datetime.datetime.now()

        if '##1##' in self.rule['alert_text']:
            self.rule['alert_text'] = self.rule['alert_text'].replace('##1##', "'" + current_date.strftime("%Y-%m-%dT%H:%M:%S.000Z") + "'")

        if '##2##' in self.rule['alert_text']:
            changed_hours = datetime.timedelta(hours=1)
            changed_time = current_date - changed_hours
            self.rule['alert_text'] = self.rule['alert_text'].replace('##2##', "'" + changed_time.strftime("%Y-%m-%dT%H:%M:%S.000Z") + "'")

I've tried to replace current_date = datetime.datetime.now() with current_date = datetime.datetime.strptime(match['@timestamp'], "%Y-%m-%dT%H:%M:%S.%fZ") but the issue is still there.

I use the jertel/elastalert2:2 image.

Thanks in advance for your help :)

Answered by jertel

Sep 5, 2021

You are permanently modifying the rule's alert_text value. The first time it runs the process() method it is replacing the ##1## and ##2## strings with the timestamps. Now, every subsequent alert's process() invocation will look at the same rule alert_text but no longer find a ##1## or ##2##. This is because you just modified the original rule itself, instead of the match data.

Make sure you understand the difference between the rule dict and the match dict.

View full answer

jertel · 2021-09-05T13:24:40Z

jertel
Sep 5, 2021
Maintainer

You are permanently modifying the rule's alert_text value. The first time it runs the process() method it is replacing the ##1## and ##2## strings with the timestamps. Now, every subsequent alert's process() invocation will look at the same rule alert_text but no longer find a ##1## or ##2##. This is because you just modified the original rule itself, instead of the match data.

Make sure you understand the difference between the rule dict and the match dict.

1 reply

K0WALSKl Sep 6, 2021
Author

I felt it was not a good idea to do this but it did not even occur to me that I could just add some values to the match dict.
Thank you for helping me again, have a good day :)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

datetime.now() gives the correct time only once in an enhancement module #448

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

datetime.now() gives the correct time only once in an enhancement module #448

K0WALSKl Sep 5, 2021

Replies: 1 comment · 1 reply

jertel Sep 5, 2021 Maintainer

K0WALSKl Sep 6, 2021 Author

K0WALSKl
Sep 5, 2021

Replies: 1 comment 1 reply

jertel
Sep 5, 2021
Maintainer

K0WALSKl Sep 6, 2021
Author