How to silence the rule via api?

[ashliakhov]

Hey, thanks for the great project!

Newbie question, but how can I silent (or disable) the particular rule using swagger?

Any hint is appreciated 🙏

[Karql]

Hi,

Currently there is no such method to do it in swagger.

You can try edit rule and add is_enabled to it.

https://elastalert2.readthedocs.io/en/latest/ruletypes.html

You can also delete rule and restore it later.

If you have access to elastic you add document to silence index directly.
https://github.com/jertel/elastalert2/blob/master/elastalert/elastalert.py#L1778

As a target solution, I would suggest add a new method in the API.
Method should take two parameters

• rule name
• silent duration
  and starts a new elastalert2 process with --rule and --silence flags.

https://elastalert2.readthedocs.io/en/latest/flags.html

However, I won’t have time for this in the near future – a PR is always welcome! ;)

Note for dev purpose: https://github.com/jertel/elastalert2/pull/1004/files#r1018520966
@jertel was right. The behavior here will be differen. If someone uses only --silence, it will match by rule name, but with --silence_qk_value, it will match by realert_key.

Best regards,
Mateusz

[ashliakhov]

@Karql
Thanks a lot! Will give it a try 👍

[nsano-rururu]

@ashliakhov
johnsusek/elastalert-server only supports --silence.
--silence_qk_value is not supported.

@Karql

Are there plans to support this in elastalert2-server?