Skip to content

elastalert python WARNING:elasticsearch:DELETE https://[es_host]/_search/scroll [status:404 request:0.013s] #1347

Closed Locked Answered by jertel
Ox0000ff asked this question in Q&A
Discussion options

You must be logged in to vote

It seems like the two ElastAlert instances are either accessing different Elasticsearch clusters, or they have different access rights. For example, the ElastAlert instance that isn't working perhaps doesn't have read/write/scroll/etc rights to the cluster, but the working ElastAlert instance does have those privileges.

I can't think of any other reason why identical queries originating from alternate sources would see different results.

If I were in your shoes I would use tcpdump or wireshark to trace the packets and confirm that they are arriving from both ElastAlert instances.

Replies: 1 comment 2 replies

Comment options

You must be logged in to vote
2 replies
@Ox0000ff
Comment options

@jertel
Comment options

Answer selected by jertel
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants