Question 1

How to set up ElastAlert to send alerts to Slack?

Accepted Answer

Configure the alert section in your rule YAML file with the Slack webhook URL and channel details. Use the built-in Slack alert type, and ensure proper formatting for message content as per the documentation.

Question 2

ElastAlert vs Elasticsearch Watcher: which should I use?

Accepted Answer

ElastAlert offers more rule types and external integrations but is deprecated. Elasticsearch Watcher is native and maintained, but may have fewer alerting options. For new projects, Watcher or ElastAlert2 is recommended.

Question 3

Why is my ElastAlert rule not firing any alerts?

Accepted Answer

Check if hits match your filters using elastalert-test-rule, ensure timeframe and threshold settings are correct, and verify that realert or aggregation settings aren't suppressing alerts. Common issues include misconfigured YAML or buffer_time overlaps.

Question 4

How to improve ElastAlert performance for large Elasticsearch indices?

Accepted Answer

Enable use_count_query or use_terms_query in rules to reduce data transfer, adjust buffer_time to smaller windows, and use strftime-based index patterns to limit shard queries, as suggested in the FAQ.

Question 5

Can ElastAlert alert on percentage changes in metric data?

Accepted Answer

Not directly; you need to use the spike rule type with custom thresholds or implement a custom rule. The built-in types focus on absolute counts or rates, requiring manual calculation for percentages.

Question 6

How to aggregate and send daily reports in ElastAlert?

Accepted Answer

Use the aggregation feature with a schedule like cron syntax in your rule YAML. Set aggregation to combine matches over time, and configure alert types like email to send periodic summaries.

Elastalert | Yelp

What is Elastalert | Yelp?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions