Invalid multiple indexes specified

[bongmu]

Multiple indexes are specified. When the "error" keyword appears in multiple indexes at the same time, only one is matched and then an alarm is sounded. What I want is to match multiple indexes at the same time and sound an alarm in sequence.

config：

es_host: xxx
es_port: 9200
name: "dev-all-err"

type: "frequency"
index: "xxx-,xxx-,xxx-,xxx-"
is_enabled: true

filter:

query:
query_string:
query: "message: ERROR"
num_events: 1

timeframe:
minutes: 1

realert:
minutes: 1

timestamp_field: "@timestamp"
timestamp_type: "iso"
use_strftime_index: true
include: ["tags", "message", "@timestamp"]

alert_text_type: alert_text_only
alert_text: |
xxx

alert:

"dingtalk"
dingtalk_access_token: "x"
dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=xxx"
dingtalk_msgtype: "text"

[nsano-rururu]

https://elastalert2.readthedocs.io/en/latest/ruletypes.html#index

[bongmu]

Yes, I did it according to this configuration

But after my test, writing ERROR logs to two different indexes at the same time only warned one index

[jertel]

By attempting to combine them into a single rule it causes the re-alert to prevent the second event from alerting. So if you are suggesting that both indices receive an event at the same time, and you want both alerts to be sent then you have two options:

1. Simplest: Use two different rules, each using its own index.
2. Define the _index field as a query key. I've not tried this but perhaps it could work.