Command Line Flags

ElastAlert 2 accepts several optional command line parameters:

--config will specify the configuration file to use. The default is config.yaml.

--debug will run ElastAlert 2 in debug mode. This will increase the logging verboseness, change all alerts to DebugAlerter, which prints alerts and suppresses their normal action, and skips writing search and alert metadata back to Elasticsearch. Not compatible with –verbose.

--end <timestamp> will force ElastAlert 2 to stop querying after the given time, instead of the default, querying to the present time. This really only makes sense when running standalone. The timestamp is formatted as YYYY-MM-DDTHH:MM:SS (UTC) or with timezone YYYY-MM-DDTHH:MM:SS-XX:00 (UTC-XX).

--es_debug will enable logging for all queries made to Elasticsearch.

--es_debug_trace <trace.log> will enable logging curl commands for all queries made to Elasticsearch to the specified log file. --es_debug_trace is passed through to elasticsearch.py which logs localhost:9200 instead of the actual es_host:es_port.

--pin_rules will stop ElastAlert 2 from loading, reloading or removing rules based on changes to their config files.

--prometheus_port exposes ElastAlert 2 Prometheus metrics on the specified port. Prometheus metrics disabled by default.

--prometheus_addr allows you to specify the host address that the Prometheus metrics server will bind to.

--rule <rule.yaml> will only run the given rule. The rule file may be a complete file path or a filename in rules_folder or its subdirectories.

--silence <unit>=<number> will silence the alerts for a given rule for a period of time. The rule must be specified using --rule. <unit> is one of days, weeks, hours, minutes or seconds. <number> is an integer. For example, --rule noisy_rule.yaml --silence hours=4 will stop noisy_rule from generating any alerts for 4 hours.

--silence_qk_value <value will silence the rule only for the given query key value. This parameter is intended to be used with the --rule parameter.

--start <timestamp> will force ElastAlert 2 to begin querying from the given time, instead of the default, querying from the present. The timestamp should be ISO8601, e.g. YYYY-MM-DDTHH:MM:SS (UTC) or with timezone YYYY-MM-DDTHH:MM:SS-08:00 (PST). Note that if querying over a large date range, no alerts will be sent until that rule has finished querying over the entire time period. To force querying from the current time, use “NOW”.

--verbose will increase the logging verboseness, which allows you to see information about the state of queries. Not compatible with –debug.