ElastAlert 2 rule types

Each alerting rule sets type: to choose how matches are detected. Every type guide opens with a short overview, then an Options section: first Fields every rule needs (the YAML skeleton common to all types), then Required for this type and optional keys for that type, followed by a Full working example and usually a real-world example. Cross-rule options such as buffer_time, run_every, realert, and is_enabled are covered in the Full Reference and Create a rule.

Fields every rule needs

Regardless of type, every ElastAlert 2 rule must define name, index, type, filter, and alert (plus the settings each destination needs under alert:). The per-type guides below add Required for this type only for keys that belong to that rule type.

Adjust index and queries to match your data.

For notification wording and Discover links across all types, see Subject & body and Context & links. For alert: channels, see Destinations.

Rule types

Any rule type→

Use ElastAlert 2 type: any on Logit.io to notify on every document that matches your filter, with realert, query_key, and YAML examples.

Blacklist rule type→

Alert when a field equals a forbidden value using ElastAlert 2 type: blacklist on Logit.io: compare_key, list values, and YAML.

Whitelist rule type→

Alert when a value is not in an allow list using ElastAlert 2 type: whitelist on Logit.io, with compare_key and full YAML.

Change rule type→

Detect when a field changes for the same user or host with ElastAlert 2 type: change on Logit.io: compare_key, query_key, timeframe.

Frequency rule type→

Alert when at least num_events occur in timeframe using ElastAlert 2 type: frequency on Logit.io, with count queries and examples.

Spike rule type→

Compare current vs reference traffic with ElastAlert 2 type: spike on Logit.io: spike_height, spike_type, thresholds, and YAML.

Flatline rule type→

Detect silence or missing heartbeats with ElastAlert 2 type: flatline on Logit.io: threshold, timeframe, query_key, and YAML.

New term rule type→

Alert on first-time values in a field using ElastAlert 2 type: new_term on Logit.io: fields, terms window, and YAML.

Cardinality rule type→

Alert on too many or too few unique values with ElastAlert 2 type: cardinality on Logit.io: cardinality_field, max/min, query_key.

Metric aggregation rule type→

Threshold metrics from OpenSearch aggregations with ElastAlert 2 type: metric_aggregation on Logit.io: metric_agg_key, thresholds, YAML.

Spike aggregation rule type→

Spike detection on aggregated metrics with ElastAlert 2 type: spike_aggregation on Logit.io: buffer_time, metric_agg_key, spike_height.

Percentage match rule type→

Alert when a subset exceeds a percentage of hits using ElastAlert 2 type: percentage_match on Logit.io: match_bucket_filter, SLO-style YAML.