What is proper rule syntax to generate two different alert types?

[branchnetconsulting]

I can successfully use this in a rule to send an email:

alert:
- "email"
email:
- "my@email-addr.com"

or this to send a Slack message:

alert:
- "slack"
slack:
slack_webhook_url: "my-slack-webhook"

but how do I specify that I want a rule to do both? Appending the second example above to the first one seems to result in the first one being discarded and only the last one taking affect. I presume I can only have one "alert:" line and then multiple alert types specified thereafter, but my every attempt at this results in rule parsing failures. For example, this fails

alert:
- "email"
email:
- "my@email-addr.com"
- "slack"
slack:
slack_webhook_url: "my-slack-webhook"

with an error "yaml.parser.ParserError: while parsing a block mapping in...expected , but found '-'

Please enlighten me about proper syntax for specifying multiple alert types for my above example.

Thanks!

[pblasquez]

Hi,

You must enumerate your alert methods all within the alert block, like so:

alert:
- "email"
- "slack"

Then you only need your email list:

email:
- "my@email-addr.com"
- "another@email-addr.com"

and your slack options (no need for slack: by itself):

slack_webhook_url: "my-slack-webhook"
slack_username_override: "Elastalert"

[branchnetconsulting]

Thanks, that worked like a charm!

[musabdogan]

Thanks a lot

One more example:

alert:
- "slack"
- "command"

slack:
slack_webhook_url: "https://hooks.slack.com/services/***/***/***"

command:
command: ["/usr/bin/sh", "/root/musab/elastalert_run.sh"]