Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Elastalert 'spike' rule alerting on 0 events being greater than 0 events

See original GitHub issue

I am using elastalert HEAD as of today.

I am using this rule:

es_host: *******
es_port: 443
use_ssl: True
name: Mike Learning Two
type: spike
index: cwl-*
threshold: 2
timeframe:
  minutes: 1
spike_height: 2
spike_type: "up"
filter:
- query:
    query_string:
      query: "status:404"
alert:
- "debug"

And it does indeed detect spikes. But sometimes it alerts with this message:

INFO:elastalert:Alert for Mike Learning Two at 2016-03-30T08:27:52.137927Z:
INFO:elastalert:Mike Learning Two

An abnormal number (0) of events occurred around 2016-03-30 08:27 UTC.
Preceding that time, there were only 0 events within 0:01:00

@timestamp: 2016-03-30T08:27:52.137927Z
reference_count: 0
spike_count: 0

Am I doing something wrong or is this a bug?

Issue Analytics

State:
Created 7 years ago
Comments:7 (2 by maintainers)

Top GitHub Comments

1reaction

pezzakcommented, Mar 7, 2018

In my case it was a typing error: treshold_ref -> threshold_ref. And if threshold_ref and threshold_cur not set in config this alert will occur.

0reactions

ashishkaransinghcommented, Mar 16, 2021

I am seeing this error too An abnormal number (0) of events occurred around 2021-03-16 15:54 UTC. Preceding that time, there were only 0 events within 0:02:00

num_hits: 0 num_matches: 1 placeholder: True reference_count: 0 spike_count: 0