我的目标是在这种情况下在ElastAlert中发出警报:午夜至凌晨2点之间未发生任何事件。 (任何日期)。问题在于如何对Elasticsearch进行查询,以匹配除特定时间以外的任何日期,因为您不能在类型为“date”的时间戳上使用regexp或通配符。有什么建议么?
此代码返回“解析失败”:
"range": {
"timestamp": {
"gte": "20[0-9]{2}-[0-9]{2}-[0-9]{2}T00:00:00.000Z",
"lt": "20[0-9]{2}-[0-9]{2}-[0-9]{2}T02:00:00.000Z"
}
}
最佳答案
以自定义规则处理它是理想的。
我编写了以下内容来进行相同的过滤:
注意,所使用的依赖项(dateutil,elastalert.utils)已经与elastalert框架 bundle 在一起。
import dateutil.parser
from ruletypes import RuleType
# elastalert.util includes useful utility functions
# such as converting from timestamp to datetime obj
from util import ts_to_dt
# Modified version of http://elastalert.readthedocs.io/en/latest/recipes/adding_rules.html#tutorial
# to catch events happening outside a certain time range
class OutOfTimeRangeRule(RuleType):
""" Match if input time is outside the given range """
# Time range specified by including the following properties in the rule:
required_options = set(['time_start', 'time_end'])
# add_data will be called each time Elasticsearch is queried.
# data is a list of documents from Elasticsearch, sorted by timestamp,
# including all the fields that the config specifies with "include"
def add_data(self, data):
for document in data:
# Convert the timestamp to a time object
login_time = document['@timestamp'].time()
# Convert time_start and time_end to time objects
time_start = dateutil.parser.parse(self.rules['time_start']).time()
time_end = dateutil.parser.parse(self.rules['time_end']).time()
# If time is outside office hours
if login_time < time_start or login_time > time_end:
# To add a match, use self.add_match
self.add_match(document)
# The results of get_match_str will appear in the alert text
def get_match_str(self, match):
return "logged in outside %s and %s" % (self.rules['time_start'], self.rules['time_end'])
def garbage_collect(self, timestamp):
pass
关于regex - Elasticsearch中的时间戳正则表达式,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50945405/