elastalert_error index mapping #274

Closed Locked Unanswered

vvvlad asked this question in Q&A

vvvlad
Jun 15, 2021

Good day everyone.
Looking for some understanding of elastalert_error index mapping.
The index keeps the failed rule name under data.name.
The mapping is:

"data" : {
  "type" : "object",
  "enabled" : false
}

which AFAIK means that there is no way to search by failed index name.
What is the reason for this mapping and is it possible to change it in the elastalert configuration?

Thanks

Replies: 1 comment 8 replies

nsano-rururu
Jun 15, 2021
Collaborator

Did you read the source code?
https://github.com/jertel/elastalert2/blob/master/elastalert/create_index.py

8 replies

vvvlad Jun 15, 2021
Author

@nsano-rururu
I don't understand what you mean.

nsano-rururu Jun 15, 2021
Collaborator

I don't want to get involved

vvvlad Jun 15, 2021
Author

I don't want to get involved

Ok, I'm not sure what you mean by getting involved.

Thanks for pointing me to the source, that helped me to find the definition file.

nsano-rururu Jun 15, 2021
Collaborator

I haven't seen the source code, and I understand that I'm not technically familiar with this point.

nsano-rururu Jun 15, 2021
Collaborator

how I change it if I just want to pip install the package without changing internal files.

See the following documentation for pip installation.
https://elastalert2.readthedocs.io/en/latest/running_elastalert.html#as-a-python-package

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment