我想使用Elastalert发送警报,其中包含来自弹性文档的字段值。这是相关规则:
name: http monitor
type: whitelist
index: heartbeat-*
compare_key: http.response.status
whitelist:
- 200
alert:
- "email"
alert_subject: "Web interface is not reachable."
alert_text: "{0} seems to be down."
alert_text_args:
- http.url
弹性文档除其他字段外还包含 http.response.status 和 http.url 。
如果http.response.status不是200,它将触发电子邮件警报,该警报应在正文中包含http.url的值(“ {0}似乎已下降。”)。如果我从这条规则开始弹性,我会得到一个
elastalert.util.EAException: Error loading file myrule.yaml: Invalid Rule file
我该如何实现?
谢谢!