TechQA.

Elastic Alert with "AND" condition for Elasticsearch query is never run

25 views Asked by At

I have an alert set up on an index. The alert should send out an email.

If I set up the alert with the query

{
  "query": {
    "bool": {
      "must" : [
        { "term" : { "Properties.EventId.Id" : 1 } }
      ]
    }
  }
}

the email specified in the alert is send.

If I st up the alert with the query

{
  "query": {
    "bool": {
      "must": [
        {
          "term": {
           "kubernetes.namespace": "mynamespace"
          }
        }
      ]
    }
  }
}

then the email for the alert is also send.

Combining these 2 properties with an "AND" condition does not work.

{
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "Properties.EventId.Id": 1
          }
        },
        {
          "term": {
           "kubernetes.namespace": "mynamespace"
          }
        }
      ]
    }
  }
}

I can see that there are matching documents when I run "Test query", but an email is never send.

There are no errors in "Error log"

Is there something missing? The version of elastic is 8.2.2

elasticsearch alerts
Original Q&A
0

There are 0 answers

Related Questions in ELASTICSEARCH

Related Questions in ALERTS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions