How to send previous day aggregation results at onetime over the mail?

[rameshar16]

Hi All,

Is there any option to send the previous day aggregation results at onetime over the mail? Please let me know if any options available.

Thanks and Regards,
Ramesh

[jertel]

This might help: https://elastalert2.readthedocs.io/en/latest/ruletypes.html?highlight=aggregate#aggregation

[rameshar16]

Thank you @jertel

[rameshar16]

Hi @jertel ,

Could you please help me on the below?

scheduled aggregation adding multiple alerts messages into the mail instead of aggregated all the alerts results into a single result and adding to the email alert.

And also I see that the query rule is running for every 5 mins interval.. Is there any option to run the rule query once in a day and attached the complete results to the email one time?

Thanks and Regards,
Ramesh

[jertel]

I recommend reading the entire documentation, as the answers to your questions are in there.

Limit execution of rules to particular day, or time:

https://elastalert2.readthedocs.io/en/latest/ruletypes.html?highlight=aggregate#limit-execution

Using buffer_time and run_every to limit frequency and time window of alerts:

https://elastalert2.readthedocs.io/en/latest/running_elastalert.html#downloading-and-configuring

[rameshar16]

Thank you @jertel for the update.

I have added the run_Every but I am not receiving the email after added the run_every and below is my rule config file. Please let me know if I messed another parameters here.

################### Elasticsearch Parameters #####################
es_host: es-search.com
es_port: 9200

################### Rule Configuration Details #####################
name: rule name
type: frequency

index: "indexapi*"
num_events: 1
timeframe:
  hours: 1
top_count_number: 10
top_count_keys:
  - "group.keyword"
  - "name.keyword"
aggregation_key:
  - "group.keyword"
  - "name.keyword"
run_every:
    hours: 1
filter:
- range:
    responseStatus:
      from: 400
      to: 499

- query_string:
    query: "<query string>"

######## Custom Parameters #######
use_count_query: true
doc_type: "doc"

#################### Alerting Details ####################
alert:
- "email":
    from_addr: "team@xxxxxxx.com"
    email: "ramesh.ar16@xxxxxx.com"
alert_subject: "[Prod Report]"

Thanks and Regards,
Ramesh

[jertel]

You should run elastalert with debug enabled to better understand what's happening: https://elastalert2.readthedocs.io/en/latest/running_elastalert.html?highlight=debug#configuration-flags

Also, try without use_count_query: true. There was a recent change in the upcoming release that corrects an issue with counts queries used on newer ES clusters.

[rameshar16]

Thank you @jertel. Now, I am receiving the alerts after added the run_every. But, I am receiving the mails for last 24 hours for every alternative days instead of daily.

Note: I have removed the "use_count_query" from the rule and noticed that the reports are not accurate without "use_count_query: true".

run_every:
hours: 24
timeframe:
hours: 24

**################### Elasticsearch Parameters #####################
es_host: es-search.com
es_port: 9200

################### Rule Configuration Details #####################
name: rule name
type: frequency

index: "indexapi*"
num_events: 1
timeframe:
hours: 1
top_count_number: 10
top_count_keys:

• "group.keyword"

• "name.keyword"
  aggregation_key:

• "group.keyword"

• "name.keyword"
  run_every:
  hours: 1
  filter:

• range:
  responseStatus:
  from: 400
  to: 499

• query_string:
  query: ""

######## Custom Parameters #######
use_count_query: true
doc_type: "doc"

#################### Alerting Details ####################
alert:

• "email":
  from_addr: "team@xxxxxxx.com"
  email: "ramesh.ar16@xxxxxx.com"
  alert_subject: "[Prod Report]"**

Please let me know if I missed anything here.

Thanks and Regards,
Ramesh

[jertel]

I noticed you have timeframe specified twice. I don't see how that would cause it to skip every other day though. Try reducing the timing to run every hour and see if you get one email per hour. Then continue expanding the times until you start seeing the skip, then enable debug to find out if there's any helpful output that might explain that behavior.