Агрегация ElastAlert2 Отправить оповещение по электронной почте включает повторяющиеся тексты после таблицы ⇐ Elasticsearch aggregation

[Anonymous]

Я посылаю счетчик StatusCode в журнале доступа от ElasticSearch с использованием ElastAlert2. < /p>
Я могу отправлять и получать предупреждение по электронной почте, но я получаю повторяющиеся тексты после таблицы. (повторяющиеся тексты одинаково, что и количество) < /p>
1) < /p>

Код: Выделить всё

alert_subject: "[Prod] ESB Accesslog statusCode Count (past 2 minutes)"

alert_text_type: alert_text_jinja
alert_text: |
< /code>
Если я использую выше,
я получаю электронную почту, как ниже: < /p>
Aggregation resulted in the following data for summary_table_fields ==> ['statusCode', 'count']:

+------------+-------+
| statusCode | count |
+============+=======+
| 200        | 99    |
+------------+-------+
| 502        | 16    |
+------------+-------+
| 401        | 8     |
+------------+-------+
| 400        | 2     |
+------------+-------+
| 504        | 1     |
+------------+-------+

RuleTopCount

----------------------------------------
RuleTopCount

----------------------------------------
RuleTopCount

----------------------------------------
RuleTopCount

----------------------------------------
RuleTopCount
< /code>
где < /p>
RuleTopCount

----------------------------------------

are repeated 126 times, as the total count in the table are 126.
2)
if i comment out alert_text_type and alert_text, or use
alert_text_type: alert_text_only
then i get as below:

Код: Выделить всё

Aggregation resulted in the following data for summary_table_fields ==> ['statusCode', 'count']:

+------------+-------+
| statusCode | count |
+============+=======+
| 200        | 9629  |
+------------+-------+
| 502        | 220   |
+------------+-------+
| 401        | 131   |
+------------+-------+
| 504        | 10    |
+------------+-------+
| 400        | 5     |
+------------+-------+
| 30         | 1     |
+------------+-------+
| 406        | 5     |
+------------+-------+

RuleTopCount

At least 1 events occurred between 2025-04-22 18:23 PDT and 2025-04-22 18:25 PDT

statusCode.keyword:
No events found.

@timestamp: 2025-04-22T18:25:04-07:00
_id: 2cY_YJYB5pge5plwuEGI
_index: accesslog_gma-20250423
_type: _doc
num_hits: 19066
num_matches: 19066
statusCode: 200

----------------------------------------
RuleTopCount

At least 1 events occurred between 2025-04-22 18:23 PDT and 2025-04-22 18:25 PDT

statusCode.keyword:
No events found.

@timestamp: 2025-04-22T18:25:04-07:00
_id: 2sY_YJYB5pge5plwuEGI
_index: accesslog_gma-20250423
_type: _doc
num_hits: 19066
num_matches: 19066
statusCode: 502

----------------------------------------
< /code>
Как я могу исключить хвостовые тексты после таблицы?name: RuleTopCount
type: frequency
index: "accesslog*"

num_events: 1
attach_related: false

max_instances: 2

query_key: statusCode

top_count_keys:
- statusCode
top_count_number: 100

aggregation:
minutes: 2

summary_table_fields:
- statusCode

filter:
- range:
"@timestamp":
gte: "now-2m"

timeframe:
minutes: 2

include: []  # Prevents writing full match_body

alert:
- "email"

email:
- "receiving@email.com"
from_addr: "sending@email.com"
email_reply_to: "noreply@autoeveramerica.com"

alert_subject: "[Prod] ESB Accesslog statusCode Count (past 2 minutes)"

`

Подробнее здесь: https://stackoverflow.com/questions/795 ... fter-table