ElastAlert: config.yaml :聚合选项提供错误

Question

我已经在中配置了config.yaml聚合选项，以便每隔1小时发送一次警报摘要。但当我试图运行它时，它会抛出以下错误。

File "elastalert.py", line 863, in run_rule
self.add_aggregated_alert(match, rule)
File "elastalert.py", line 1614, in add_aggregated_alert
alert_time = ts_now() + rule['aggregation']
TypeError: unsupported operand type(s) for +: 'datetime.datetime' and 'dict'
ERROR:root:Uncaught exception running rule Test Alert : unsupported operand type(s) for +: 'datetime.datetime' and 'dict'
INFO:elastalert:Rule Test Alert disabled

配置参数如下：

rules_folder: test_rules
run_every:
 minutes: 15
buffer_time:
 minutes: 30
es_host: 100.38.46.3
es_port: 9200
aggregation:
 hours: 1
writeback_index: elastalert_status
alert_time_limit:
  days: 2

测试警报规则配置：

name: Test Alert
type: metric_aggregation
index: logstash-*
buffer_time: 
 minutes: 30
metric_agg_key: count
metric_agg_type: sum
query_key: "name.keyword"
doc_type: counter
max_threshold: 1
min_threshold: 0
filter:
- query:
   query_string: 
     query: "name.keyword: *timedout_count"
alert:
- "email"
email:
- "admin@abc.com"

我跟踪了ElastAlert文档，但无法找出是什么导致了这个问题。

谢谢

Answer 1

从错误：

TypeError: unsupported operand type(s) for +: 'datetime.datetime' and 'dict'

从你的config.yaml

metric_agg_type: sum

它试图(和失败)对不支持求和的datetime和dict值执行和聚合。您可能需要选择一个诸如count或唯一计数之类的聚合，并相应地调整警报的逻辑。