update elastalert

elastalert/data/config.yaml

@@ -12,7 +12,7 @@ rules_folder: rules
 # How often ElastAlert will query elasticsearch
 # The unit can be anything from weeks to seconds
 run_every:
-  seconds: 60
+  minutes: 1
 
 # ElastAlert will buffer results from the most recent
 # period of time, in case some log sources are not in real time

elastalert/data/rules/example.yaml

@@ -0,0 +1,25 @@
+name: Example rule
+
+es_host: elasticsearch
+es_port: 9200
+
+type: frequency
+
+index: logstash-*
+
+num_events: 10
+
+timeframe:
+  hours: 1
+
+filter:
+- query:
+    query_string:
+      query: 'response:[500 TO *]'
+
+alert:
+- command
+
+command:
+- echo
+- "{match[@timestamp]} {match[message]}"