Add realert_key feature

CHANGELOG.md

@@ -4,7 +4,7 @@
 - None
 
 ## New features
-- None
+- Add `realert_key` option to silence groups of alerts - [#1004](https://github.com/jertel/elastalert2/pull/1004) - @goggin
 
 ## Other changes
 - Upgrade pylint 2.15.3 to 2.15.5, pytest 7.1.3 to 7.2.0, pytest-xdist 2.5.0 to 3.0.2, sphinx 5.2.3 to 5.3.0, tox 3.26.0 to 3.27.0 - [#988](https://github.com/jertel/elastalert2/pull/988) - @nsano-rururu

docs/source/ruletypes.rst

@@ -88,6 +88,8 @@ Rule Configuration Cheat Sheet
 +--------------------------------------------------------------+           |
 | ``realert`` (time, default: 1 min)                           |           |
 +--------------------------------------------------------------+           |
+| ``realert_key`` (string, defaults to the rule name)          |           |
++--------------------------------------------------------------+           |
 | ``exponential_realert`` (time, no default)                   |           |
 +--------------------------------------------------------------+           |
 | ``match_enhancements`` (list of strs, no default)            |           |
@@ -495,6 +497,12 @@ This is applied to the time the alert is sent, not to the time of the event. It
 that if ElastAlert 2 is run over a large time period which triggers many matches, only the first alert will be sent by default. If you want
 every alert, set realert to 0 minutes. (Optional, time, default 1 minute)
 
+realert_key
+^^^^^^^^^^^
+
+``realert_key``: This option allows you to customize the key for ``realert``.  The default is the rule name, but if you have multiple rules that
+you would like to use the same key for you can set the ``realert_key`` to be the same in those rules. (Optional, string, default is the rule name)
+
 exponential_realert
 ^^^^^^^^^^^^^^^^^^^
 

elastalert/elastalert.py

@@ -880,7 +880,7 @@ def run_rule(self, rule, endtime, starttime=None):
             # If realert is set, silence the rule for that duration
             # Silence is cached by query_key, if it exists
             # Default realert time is 0 seconds
-            silence_cache_key = rule['name']
+            silence_cache_key = rule['realert_key']
             query_key_value = self.get_query_key_value(rule, match)
             if query_key_value is not None:
                 silence_cache_key += '.' + query_key_value
@@ -1675,7 +1675,7 @@ def silence(self, silence_cache_key=None):
         # With --rule, self.rules will only contain that specific rule
         if not silence_cache_key:
             if self.args.silence_qk_value:
-                silence_cache_key = self.rules[0]['name'] + "." + self.args.silence_qk_value
+                silence_cache_key = self.rules[0]['realert_key'] + "." + self.args.silence_qk_value
             else:
                 silence_cache_key = self.rules[0]['name'] + "._silence"
 

elastalert/loaders.py

@@ -333,6 +333,7 @@ def load_options(self, rule, conf, filename, args=None):
             rule.setdefault(key, val)
         rule.setdefault('name', os.path.splitext(filename)[0])
         rule.setdefault('realert', datetime.timedelta(seconds=0))
+        rule.setdefault('realert_key', rule['name'])
         rule.setdefault('aggregation', datetime.timedelta(seconds=0))
         rule.setdefault('query_delay', datetime.timedelta(seconds=0))
         rule.setdefault('timestamp_field', '@timestamp')

elastalert/schema.yaml

@@ -237,6 +237,7 @@ properties:
       - type: string
   aggregation: *timeframe
   realert: *timeframe
+  realert_key: {type: string}
   exponential_realert: *timeframe
 
   buffer_time: *timeframe

tests/conftest.py

@@ -111,6 +111,7 @@ def ea():
               'include': ['@timestamp'],
               'aggregation': datetime.timedelta(0),
               'realert': datetime.timedelta(0),
+              'realert_key': 'anytest',
               'processed_hits': {},
               'timestamp_field': '@timestamp',
               'match_enhancements': [],