Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could not generate kibana dash for Test rule match: Could not parse filter #437

Open
jurgenhaas opened this issue Mar 21, 2016 · 6 comments
Open

Could not generate kibana dash for Test rule match: Could not parse filter #437

jurgenhaas opened this issue Mar 21, 2016 · 6 comments

Comments

@jurgenhaas
Copy link

My rule is working just fine but I can't generate Kibana links. The rule is this:

es_host: "localhost"
es_port: 9200
index: "logstash-*"
name: "Test rule"
type: "frequency"
alert:
  - "slack"
description: "This is just a test"

generate_kibana_link: true
use_kibana4_dashboard: "http://crcmon1/app/kibana#/dashboard/Default"
kibana_url: "http://crcmon1/app/kibana"

slack_webhook_url: 'removed'

num_events: 1
timeframe:
  minutes: 5
filter:
  - query_string:
      query: ident:drupal* AND (@log_name:"syslog.local0.err" OR @log_name:"syslog.local0.emerg")
      analyze_wildcard: true

The full error message:

elastalert_error - {'message': 'Could not generate kibana dash for Test rule match: Could not parse filter {\'query_string\': {\'query\': \'ident:drupal* AND (@log_name:"syslog.local0.err" OR @log_name:"syslog.local0.emerg")\', \'analyze_wildcard\': True}} for Kibana', 'traceback': ['Traceback (most recent call last):', '  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.0.75-py2.7.egg/elastalert/elastalert.py", line 909, in send_alert', '    kb_link = self.generate_kibana_db(rule, matches[0])', '  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.0.75-py2.7.egg/elastalert/elastalert.py", line 783, in generate_kibana_db', '    kibana.add_filter(db, filter)', '  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.0.75-py2.7.egg/elastalert/kibana.py", line 221, in add_filter', '    raise EAException("Could not parse filter %s for Kibana" % (es_filter))', 'EAException: Could not parse filter {\'query_string\': {\'query\': \'ident:drupal* AND (@log_name:"syslog.local0.err" OR @log_name:"syslog.local0.emerg")\', \'analyze_wildcard\': True}} for Kibana']}

Looks like we are having trouble with that filter?
@AxelMonroyX
Copy link
Contributor

I have the same issue with this filter

filter:
- query:
    query_string:
      query:
        "error.status.code:500"

@Qmando
Copy link
Member

Qmando commented Aug 1, 2018

This feature is only for Kibana 3, https://elastalert.readthedocs.io/en/latest/ruletypes.html?highlight=generate_kibana_link#generate-kibana-link, so it hasn't received much attention from me recently.

I see there is a slight bug, when using Elasticsearch 5 or 6 with this (would that even work with Kibana 3?), it will break if you are using query string filters.

@AxelMonroyX
Copy link
Contributor

AxelMonroyX commented Aug 1, 2018
edited
Loading

@Qmando So how can generate the Kibana link using Kibana 6.2.3 ?

@Qmando
Copy link
Member

Qmando commented Aug 1, 2018

You can't

@AxelMonroyX
Copy link
Contributor

@Qmando then I think I can generate it my self if I can get the now the alert is fired on the alert_text
I there a way to do it?

@Qmando
Copy link
Member

Qmando commented Aug 2, 2018
edited
Loading

You can do

alert_text: "https://kibana/{}"
alert_text_args: ["@timestamp"]

@nsano-rururu nsano-rururu mentioned this issue Oct 23, 2020
Open
@nsano-rururu nsano-rururu mentioned this issue Mar 4, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jurgenhaas @Qmando @AxelMonroyX