运行 elastalert 规则：IOError: [Errno 2] 没有这样的文件或目录：'config.yaml'

Question

I create a rule

    name: Metricbeat CPU Spike Rule
type: metric_aggregation

# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
  minutes: 1

es_host: localhost
es_port: 9200

index: metricbeat-*

buffer_time:
  hours: 1

metric_agg_key: system.cpu.user.pct
metric_agg_type: avg
query_key: beat.hostname
doc_type: metricsets

bucket_interval:
  minutes: 5

sync_bucket_interval: true
#allow_buffer_time_overlap: true
#use_run_every_query_size: true

min_threshold: 0.5

filter:
- range:
    system.cpu.user.pct:
      from: 0.05
      to: 0.07 

# (Required)
# The alert is use when a match is found
alert:
- "email"

# (required, email specific)
# a list of email addresses to send alerts to
email:
- "chiangpohlin@newict.com"

I think the rule works fine because when I try to test it by running elastalert-test-rule test.yaml , I get this:

Successfully loaded Metricbeat

Got 155 hits from the last 1 day

Available terms in first hit:
        beat.hostname
        beat.name
        beat.version
        @timestamp
        type
        metricset.rtt
        metricset.name
        metricset.module
        system.cpu.softirq.pct
        system.cpu.iowait.pct
        system.cpu.system.pct
        system.cpu.idle.pct
        system.cpu.user.pct
        system.cpu.irq.pct
        system.cpu.steal.pct
        system.cpu.nice.pct

INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
                To send them but remain verbose, use --verbose instead.
INFO:elastalert:Alert for Metricbeat, SenzoServer at 2018-03-20T03:25:00Z:
INFO:elastalert:Metricbeat

Threshold violation, avg:system.cpu.user.pct 0.053 (min: 0.5 max : None)

@timestamp: 2018-03-20T03:25:00Z
beat.hostname: SenzoServer
num_hits: 155
num_matches: 16
system.cpu.user.pct_avg: 0.053

INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer
INFO:elastalert:Ignoring match for silenced rule Metricbeat.SenzoServer

Would have written the following documents to writeback index (default is elastalert_status):

silence - {'rule_name': u'Metricbeat.SenzoServer', '@timestamp': datetime.datetime(2018, 3, 20, 4, 38, 38, 277518, tzinfo=tzutc()), 'exponent': 0, 'until': datetime.datetime(2018, 3, 20, 4, 39, 38, 277508, tzinfo=tzutc())}

elastalert_status - {'hits': 155, 'matches': 16, '@timestamp': datetime.datetime(2018, 3, 20, 4, 38, 38, 279438, tzinfo=tzutc()), 'rule_name': 'Metricbeat', 'starttime': datetime.datetime(2018, 3, 19, 4, 38, 38, 173884, tzinfo=tzutc()), 'endtime': datetime.datetime(2018, 3, 20, 4, 38, 38, 173884, tzinfo=tzutc()), 'time_taken': 0.09930419921875}

So then I try to run it using python -m elastalert.elastalert --verbose --rule test.yaml , and I get this :

Traceback (most recent call last):
  File "/usr/lib/python2.7/runpy.py", line 162, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/elastalert.py", line 1856, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/elastalert.py", line 1850, in main
    client = ElastAlerter(args)
  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/elastalert.py", line 130, in __init__
    self.conf = load_rules(self.args)
  File "/usr/local/lib/python2.7/dist-packages/elastalert-0.1.29-py2.7.egg/elastalert/config.py", line 433, in load_rules
    conf = yaml_loader(filename)
  File "/usr/local/lib/python2.7/dist-packages/staticconf/loader.py", line 167, in yaml_loader
    with open(filename) as fh:
IOError: [Errno 2] No such file or directory: 'config.yaml'

Is it something wrong with my elastalert installation? I tried install requirements.txt already not working.

Answer 1

在命令中提到elasticalert config.yaml.example中的配置文件，即python -m elastalert.elastalert --verbose --rule example_rules/example_frequency.yaml --config config.yaml.example应该可以工作。

Answer 2

elastalert need a config file to connect with ES and load other attributes. elastalert-Test comes with its own config file (config.yaml.example)

To solve the issue, please make a copy of config.yaml.example and rename it to config.yaml. Make necessary changes in config.yaml and things will fall into place.

Thanks