You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Turns out it's a (default) limitation in ElasticSearch, the indices.query.bool.max_clause_count term. Increasing this would fix my problem, but is not recommended.
Best solution would be to rejigger the get_query() or enhance_filter() function to break up queries with more 1024 terms into multiple queries. Or maybe make a LongBlacklist rule class.
When trying to create a blacklist rule that parses a file that contains more than 1024 lines, I get the following error:
elastalert_error - {'message': 'Error running query: [\'Failed to parse query [winlog.event_data.md5:"65a27335241f56963655d472704cae8e" OR .... winlog.event_data.md5:"cf85c2ced0556ce7... (60500 characters removed)', 'traceback': ['Traceback (most recent call last):', ' File "/usr/local/lib/python3.6/site-packages/elastalert/elastalert.py", line 398, in get_hits', ' raise ElasticsearchException(errs)', 'elasticsearch.exceptions.ElasticsearchException: [\'Failed to parse query [winlog.event_data.md5:"65a2...
To reproduce:
elastalert-test-rule --config config.yaml myrule.yaml
Is this a limitaiton with elastalert, or with one of the frameworks it depends on, or with Elasticsearch, or...?
The text was updated successfully, but these errors were encountered: