do not work on flatline rule?

[fberrez]

The module does not seem to work with a flatline rule.

Situation

• I have the following rule:

name: myFlatlineRule
description: sends alert when a flatline occured in my log
index: myIndex-*
type: flatline
timeframe:
  minutes: 5
threshold: 1
filter:
  - term:
      fields.metadata.code.keyword: 'MY_LOG_CODE'

realert:
  minutes: 1

start_time: '5:00' # 7:00 Europe/Paris
end_time: '20:00' # 22:00 Europe/Paris
drop_if: "outside"

When this is triggered, an alert is sent to my slack channel.

• With the logs (timezone: Europe/Paris):

We can see that a flatine exists between 00:10 and 05:00 (Europe/Paris).

• In my slack channel:

The first alert starts at 00:25 and the last one is sent at 05:01 (Europe/Paris).

Expected behavior

No alert should be sent between 22:00 and 7:00 (Europe/Paris).

[pradeepgadkari]

Is there any solution for this issue. I am also facing similar issue. If a triggering event occurs outside of the specified tie, I get alert just after the start_time. Considering the above rule,if I do not have any data coming at 20:05 then I will get alert at 5:05 the next day.

[pradeepgadkari]

@fberrez I tried changing the code a bit and it works on flatline rule now

import dateutil.parser

from elastalert.enhancements import BaseEnhancement
from elastalert.enhancements import DropMatchException


class HourRangeEnhancement(BaseEnhancement):
    def process(self, match):
        timestamp = None
        try:
            timestamp = dateutil.parser.parse(match['match_body.@timestamp']).time()
        except Exception:
            try:
                timestamp = dateutil.parser.parse(match[self.rule['timestamp_field']]).time()
            except Exception:
                pass
        if timestamp is not None:
            time_start = dateutil.parser.parse(self.rule['start_time']).time()
            time_end = dateutil.parser.parse(self.rule['end_time']).time()
            if(self.rule['drop_if'] == 'outside'):
                if timestamp < time_start or timestamp > time_end:
                    raise DropMatchException()
            elif(self.rule['drop_if'] == 'inside'):
                if timestamp >= time_start and timestamp <= time_end:
                    raise DropMatchException()

You can test this on your scenario