elastalert 用import属性来组织，引入配置

对应rule的一些公用规则，可以放到一个或者多个头文件中。主的rule yaml文件引入即可。文件名随意，最好别用yaml后缀，要不会被当做一个rule。另外import在rule文件中只能出现一次。多个头文件的话可以import文件中引入另外一个import。

示例：

主的myrule.yaml:

import: inc_es.inc
name: hs_server_ahc_task system error

type: frequency

# (Required)
# Index to search, wildcard supported
index: hs_server_ahc_task*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  hours: 1

#import: inc_time_field.inc

filter:
- terms:
    "Level": ["fatal", "error"]


alert_subject: "Alert: System {0} occurred {1} times."
alert_subject_args:
- Level
- "num_hits"

被import的  inc_es.inc 文件：

es_host: 10.10.21.77

# (Optional)
# Elasticsearch port
es_port: 9200

attach_related: true
use_kibana4_dashboard: https://nodejsgbl.italkbb.com/kibana/app/kibana#/dashboard/3bde48d0-9880-11e9-b5d5-2df46b09dea6

email_format: html

import: inc_mail.inc

这个又引入 mail.inc

alert:

- "email"

email:
- "bin.zhi@net263.com"
#- "zhibingoo@163.com"
#- "fsha@net263.com"
#- "tiezhou.wei@net263.com"

smtp_host: smtp.263.net
smtp_port: 25
smtp_auth_file: ../smtp_auth_file.yaml
email_reply_to: No.reply@net263.com
from_addr: ElastAlert@net263.com
#cc: bin.zhi@net263.com

运行：

elastalert --config ../config.yaml --rule hs_ahc_task.yaml  --verbose  --start 2019-06-27T08:45 --end 2019-06-27T09:55