Elastalert simplified multiple rules in one file
I would suggest you to think before doing this.
To achieve the expected result:
Have
rule_type
as change insteadfrequency
Keep the same timeframe.
Monitor on
status
as you want to check whether it isdown
Set filter on
monitor
field.Set
alert
as POSTYou can have your own backend API to which you can redirect - You can send the entire document which got changed - Through which you can identify which
domain
is down. Backend API can write to an index which domain is down. Key name isdomain_name
. You can keep a counter kind of thing to increase. I am not sure whether we can directly post too ES. But documentation says any end point which accepts JSON.Now you have your
frequency
rule set on the new index. Have your filters asOR
-domain1_down : 5 OR domain2_down:5
. You can have your sameemail
alerting. But you need to derive which domain from thekey
or you can have one more field in the index to be used by alerting.
Here the trickiest point is that your config says you want to find 5 downtimes of a domain in 2 minutes of timeframe
By using the aforementioned steps, you can find whether it went down 5 times. But not within 2 minutes time frame. I guess that you can achieve that by keeping a field previous_down_time
in the extra index.
It's harder way to achieve what is needed. I don't think there is no other better way than maintaining separate files. That is not harder than this.