Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TypeError("search() got multiple values for argument 'body'",) #2811

Closed
LazarenkoA opened this issue May 15, 2020 · 6 comments
Closed

TypeError("search() got multiple values for argument 'body'",) #2811

LazarenkoA opened this issue May 15, 2020 · 6 comments

Comments

@LazarenkoA
Copy link

Hi. I run the config test with the elastalert-test-rule command, get error

Error running your filter:
TypeError("search() got multiple values for argument 'body'",)
1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:23 UTC to 2020-05-15 11:24 UTC: 0 / 0 hits
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:24 UTC to 2020-05-15 11:25 UTC: 0 / 0 hits
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:25 UTC to 2020-05-15 11:26 UTC: 0 / 0 hits
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:26 UTC to 2020-05-15 11:27 UTC: 0 / 0 hits
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:27 UTC to 2020-05-15 11:28 UTC: 0 / 0 hits
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:28 UTC to 2020-05-15 11:29 UTC: 0 / 0 hits
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:29 UTC to 2020-05-15 11:30 UTC: 0 / 0 hits
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:30 UTC to 2020-05-15 11:31 UTC: 0 / 0 hits
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:31 UTC to 2020-05-15 11:32 UTC: 0 / 0 hits
INFO:elastalert:Queried rule rmngr_error_spike from 2020-05-15 11:32 UTC to 2020-05-15 11:33 UTC: 0 / 0 hits
......................................

The filter in a config:

filter:
- bool:
    filter:
    - bool:
        should:
        - query_string:
            fields:
            - Descr
            query: "*RMngrCalls*"
        minimum_should_match: 1
    - bool:
        should:
        - bool:
            should:
            - query_string:
                fields:
                - Descr
                query: "*onBeginTransaction*"
            minimum_should_match: 1
        - bool:
            should:
            - query_string:
                fields:
                - Descr
                query: "*onCommitTransaction*"
            minimum_should_match: 1
        minimum_should_match: 1
- match_phrase:
    type:
      query: log1c-excp

If take this filter and convert to json and execute to elk console, everything works, why error?
@nickbabkin
Copy link

I would try removing minimum_should_match clauses first.

@LazarenkoA
Copy link
Author

I would try removing minimum_should_match clauses first.

It hasn't helped. Even if you simplify the filter, there is still the error

filter:
- match_phrase:
    type:
      query: log1c-excp

@nickbabkin
Copy link

Can you post a complete rule file?

@LazarenkoA
Copy link
Author

Can you post a complete rule file?

name: rmngr_error_spike
type: spike
index: log1c-*

timeframe:
  hours: 2

threshold_cur: 100
#threshold_ref: 5

spike_height: 5

spike_type: "up"

filter:
- match_phrase:
    type:
      query: log1c-excp


alert:
  - "command"

command:
  - "/opt/elastalert/alerts/send_alert.sh"
  - "❗  Exception on %(host.name)s, %(p:processName)s, User: %(Usr)s"

@LazarenkoA
Copy link
Author

Apparently this is an informational message, because roles work

@LazarenkoA
Copy link
Author

it seems the reason is
#2725 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LazarenkoA @nickbabkin