Elastalert 'spike' 规则提醒 0 个事件大于 0 个事件

Elastalert 'spike' rule alerting on 0 events being greater than 0 events

我从今天开始使用 elastalert HEAD。

我正在使用这条规则:

es_host: *******
es_port: 443
use_ssl: True
name: Mike Learning Two
type: spike
index: cwl-*
threshold: 2
timeframe:
  minutes: 1
spike_height: 2
spike_type: "up"
filter:
- query:
    query_string:
      query: "status:404"
alert:
- "debug"

它确实检测到了峰值。但有时它会提示此消息:

INFO:elastalert:Alert for Mike Learning Two at 2016-03-30T08:27:52.137927Z:
INFO:elastalert:Mike Learning Two

An abnormal number (0) of events occurred around 2016-03-30 08:27 UTC.
Preceding that time, there were only 0 events within 0:01:00

@timestamp: 2016-03-30T08:27:52.137927Z
reference_count: 0
spike_count: 0

我是不是做错了什么或者这是一个错误?

在没有得到 SO 的答复后,我在 Elastalert Github 上发布了一个问题。

https://github.com/Yelp/elastalert/issues/455

他们的回答是:

Yeah. I guess this is sort of a bug. You should set either threshold_ref or threshold_cur instead of threshold. The example rule is outdated and incorrect and not setting either value should result in an error. My fault for neglecting it as the config format changed.