def compare(self, event):
        key = hashable(lookup_es_key(event, self.rules['query_key']))
        values = []
        elastalert_logger.debug(" Previous Values of compare keys  " + str(self.occurrences))
        for val in self.rules['compound_compare_key']:
            lookup_value = lookup_es_key(event, val)
            values.append(lookup_value)
        elastalert_logger.debug(" Current Values of compare keys   " + str(values))

        changed = False
        for val in values:
            if not isinstance(val, bool) and not val and self.rules['ignore_null']:
                return False
        # If we have seen this key before, compare it to the new value
        if key in self.occurrences:
            for idx, previous_values in enumerate(self.occurrences[key]):
                elastalert_logger.debug(" " + str(previous_values) + " " + str(values[idx]))
                changed = previous_values != values[idx]
                if changed:
                    break
            if changed:
                self.change_map[key] = (self.occurrences[key], values)
                # If using timeframe, only return true if the time delta is < timeframe
                if key in self.occurrence_time:
                    changed = event[self.rules['timestamp_field']] - self.occurrence_time[key] <= self.rules['timeframe']

        # Update the current value and time
        elastalert_logger.debug(" Setting current value of compare keys values " + str(values))
        self.occurrences[key] = values
        if 'timeframe' in self.rules:
            self.occurrence_time[key] = event[self.rules['timestamp_field']]
        elastalert_logger.debug("Final result of comparision between previous and current values " + str(changed))
        return changed

    def _add_custom_alert_text(self):
        missing = '<MISSING VALUE>'
        alert_text = unicode(self.rule.get('alert_text', ''))
        if 'alert_text_args' in self.rule:
            alert_text_args = self.rule.get('alert_text_args')
            alert_text_values = [lookup_es_key(self.match, arg) for arg in alert_text_args]

            # Support referencing other top-level rule properties
            # This technically may not work if there is a top-level rule property with the same name
            # as an es result key, since it would have been matched in the lookup_es_key call above
            for i in xrange(len(alert_text_values)):
                if alert_text_values[i] is None:
                    alert_value = self.rule.get(alert_text_args[i])
                    if alert_value:
                        alert_text_values[i] = alert_value

            alert_text_values = [missing if val is None else val for val in alert_text_values]
            alert_text = alert_text.format(*alert_text_values)
        elif 'alert_text_kw' in self.rule:
            kw = {}
            for name, kw_name in self.rule.get('alert_text_kw').items():
                val = lookup_es_key(self.match, name)

                # Support referencing other top-level rule properties
                # This technically may not work if there is a top-level rule property with the same name
                # as an es result key, since it would have been matched in the lookup_es_key call above
                if val is None:
                    val = self.rule.get(name)

                kw[kw_name] = missing if val is None else val
            alert_text = alert_text.format(**kw)

        self.text += alert_text

 def add_data(self, data):
     for document in data:
         for field in self.fields:
             value = ()
             lookup_field = field
             if type(field) == list:
                 # For composite keys, make the lookup based on all fields
                 # Make it a tuple since it can be hashed and used in dictionary lookups
                 lookup_field = tuple(field)
                 for sub_field in field:
                     lookup_result = lookup_es_key(document, sub_field)
                     if not lookup_result:
                         value = None
                         break
                     value += (lookup_result,)
             else:
                 value = lookup_es_key(document, field)
             if not value and self.rules.get('alert_on_missing_field'):
                 document['missing_field'] = lookup_field
                 self.add_match(copy.deepcopy(document))
             elif value:
                 if value not in self.seen_values[lookup_field]:
                     document['new_field'] = lookup_field
                     self.add_match(copy.deepcopy(document))
                     self.seen_values[lookup_field].append(value)

    def compare(self, event):
        key = hashable(lookup_es_key(event, self.rules["query_key"]))
        val = lookup_es_key(event, self.rules["compare_key"])
        if not val and self.rules["ignore_null"]:
            return False
        changed = False

        # If we have seen this key before, compare it to the new value
        if key in self.occurrences:
            changed = self.occurrences[key] != val
            if changed:
                self.change_map[key] = (self.occurrences[key], val)

                # If using timeframe, only return true if the time delta is < timeframe
                if key in self.occurrence_time:
                    changed = (
                        event[self.rules["timestamp_field"]] - self.occurrence_time[key] <= self.rules["timeframe"]
                    )

        # Update the current value and time
        self.occurrences[key] = val
        if "timeframe" in self.rules:
            self.occurrence_time[key] = event[self.rules["timestamp_field"]]

        return changed

 def alert(self, matches):
     qk = self.rule.get('query_key', None)
     for match in matches:
         if qk in match:
             elastalert_logger.info(
                 'Alert for %s, %s at %s:' % (self.rule['name'], match[qk], lookup_es_key(match, self.rule['timestamp_field'])))
         else:
             elastalert_logger.info('Alert for %s at %s:' % (self.rule['name'], lookup_es_key(match, self.rule['timestamp_field'])))
         elastalert_logger.info(unicode(BasicMatchString(self.rule, match)))

 def add_data(self, data):
     qk = self.rules.get('query_key')
     for event in data:
         if qk:
             key = hashable(lookup_es_key(event, qk))
         else:
             # If no query_key, we use the key 'all' for all events
             key = 'all'
         self.cardinality_cache.setdefault(key, {})
         self.first_event.setdefault(key, event[self.ts_field])
         value = hashable(lookup_es_key(event, self.cardinality_field))
         if value is not None:
             # Store this timestamp as most recent occurence of the term
             self.cardinality_cache[key][value] = event[self.ts_field]
             self.check_for_match(key, event)

    def _add_custom_alert_text(self):
        missing = '<MISSING VALUE>'
        alert_text = unicode(self.rule.get('alert_text', ''))
        if 'alert_text_args' in self.rule:
            alert_text_args = self.rule.get('alert_text_args')
            alert_text_values = [lookup_es_key(self.match, arg) for arg in alert_text_args]
            alert_text_values = [missing if val is None else val for val in alert_text_values]
            alert_text = alert_text.format(*alert_text_values)
        elif 'alert_text_kw' in self.rule:
            kw = {}
            for name, kw_name in self.rule.get('alert_text_kw').items():
                val = lookup_es_key(self.match, name)
                kw[kw_name] = missing if val is None else val
            alert_text = alert_text.format(**kw)

        self.text += alert_text

    def get_aggregation_summary_text(self, matches):
        text = ''
        if 'aggregation' in self.rule and 'summary_table_fields' in self.rule:
            summary_table_fields = self.rule['summary_table_fields']
            if not isinstance(summary_table_fields, list):
                summary_table_fields = [summary_table_fields]
            # Include a count aggregation so that we can see at a glance how many of each aggregation_key were encountered
            summary_table_fields_with_count = summary_table_fields + ['count']
            text += "Aggregation resulted in the following data for summary_table_fields ==> {0}:\n\n".format(summary_table_fields_with_count)
            text_table = Texttable()
            text_table.header(summary_table_fields_with_count)
            match_aggregation = {}

            # Maintain an aggregate count for each unique key encountered in the aggregation period
            for match in matches:
                key_tuple = tuple([unicode(lookup_es_key(match, key)) for key in summary_table_fields])
                if key_tuple not in match_aggregation:
                    match_aggregation[key_tuple] = 1
                else:
                    match_aggregation[key_tuple] = match_aggregation[key_tuple] + 1
            for keys, count in match_aggregation.iteritems():
                text_table.add_row([key for key in keys] + [count])
            text += text_table.draw() + '\n\n'

        return unicode(text)

 def compare(self, event):
     term = lookup_es_key(event, self.rules['compare_key'])
     if term is None:
         return not self.rules['ignore_null']
     if term not in self.rules['whitelist']:
         return True
     return False

 def garbage_collect(self, timestamp):
     """ Remove all occurrence data that is beyond the timeframe away """
     stale_keys = []
     for key, window in self.occurrences.iteritems():
         if timestamp - lookup_es_key(window.data[-1][0], self.ts_field) > self.rules['timeframe']:
             stale_keys.append(key)
     map(self.occurrences.pop, stale_keys)

 def _add_custom_alert_text(self):
     alert_text = unicode(self.rule.get("alert_text", ""))
     if "alert_text_args" in self.rule:
         alert_text_args = self.rule.get("alert_text_args")
         alert_text_values = [lookup_es_key(self.match, arg) for arg in alert_text_args]
         alert_text_values = ["<MISSING VALUE>" if val is None else val for val in alert_text_values]
         alert_text = alert_text.format(*alert_text_values)
     self.text += alert_text

 def add_data(self, data):
     for event in data:
         qk = self.rules.get("query_key", "all")
         if qk != "all":
             qk = hashable(lookup_es_key(event, qk))
             if qk is None:
                 qk = "other"
         self.handle_event(event, 1, qk)

 def _add_custom_alert_text(self):
     alert_text = unicode(self.rule.get('alert_text', ''))
     if 'alert_text_args' in self.rule:
         alert_text_args = self.rule.get('alert_text_args')
         alert_text_values = [lookup_es_key(self.match, arg) for arg in alert_text_args]
         alert_text_values = ['<MISSING VALUE>' if val is None else val for val in alert_text_values]
         alert_text = alert_text.format(*alert_text_values)
     self.text += alert_text

 def get_match_str(self, match):
     lt = self.rules.get('use_local_time')
     match_ts = lookup_es_key(match, self.ts_field)
     starttime = pretty_ts(dt_to_ts(ts_to_dt(match_ts) - self.rules['timeframe']), lt)
     message = 'At least %d(%d) events occurred between %s and %s\n\n' % (self.rules['num_events'],
                                                                      match['count'],
                                                                      starttime,
                                                                      endtime)
     return message

 def add_match(self, match):
     # TODO this is not technically correct
     # if the term changes multiple times before an alert is sent
     # this data will be overwritten with the most recent change
     change = self.change_map.get(hashable(lookup_es_key(match, self.rules["query_key"])))
     extra = {}
     if change:
         extra = {"old_value": change[0], "new_value": change[1]}
     super(ChangeRule, self).add_match(dict(match.items() + extra.items()))

    def create_custom_title(self, matches):
        alert_subject = self.rule['alert_subject']

        if 'alert_subject_args' in self.rule:
            alert_subject_args = self.rule['alert_subject_args']
            alert_subject_values = [lookup_es_key(matches[0], arg) for arg in alert_subject_args]
            alert_subject_values = ['<MISSING VALUE>' if val is None else val for val in alert_subject_values]
            return alert_subject.format(*alert_subject_values)

        return alert_subject

 def add_match(self, match):
     # TODO this is not technically correct
     # if the term changes multiple times before an alert is sent
     # this data will be overwritten with the most recent change
     change = self.change_map.get(hashable(lookup_es_key(match, self.rules['query_key'])))
     extra = {}
     if change:
         extra = {'old_value': change[0],
                  'new_value': change[1]}
         elastalert_logger.debug("Description of the changed records  " + str(dict(match.items() + extra.items())))
     super(ChangeRule, self).add_match(dict(match.items() + extra.items()))

 def add_data(self, data):
     for document in data:
         for field in self.fields:
             value = lookup_es_key(document, field)
             if not value and self.rules.get('alert_on_missing_field'):
                 document['missing_field'] = field
                 self.add_match(document)
             elif value:
                 if value not in self.seen_values[field]:
                     document['new_field'] = field
                     self.add_match(document)
                     self.seen_values[field].append(value)

    def create_custom_title(self, matches):
        opsgenie_subject = unicode(self.rule['opsgenie_subject'])

        if self.opsgenie_subject_args:
            opsgenie_subject_values = [lookup_es_key(matches[0], arg) for arg in self.opsgenie_subject_args]

            for i, subject_value in enumerate(opsgenie_subject_values):
                if subject_value is None:
                    alert_value = self.rule.get(self.opsgenie_subject_args[i])
                    if alert_value:
                        opsgenie_subject_values[i] = alert_value

            opsgenie_subject_values = ['<MISSING VALUE>' if val is None else val for val in opsgenie_subject_values]
            return opsgenie_subject.format(*opsgenie_subject_values)

        return opsgenie_subject

    def create_custom_title(self, matches):
        alert_subject = unicode(self.rule['alert_subject'])

        if 'alert_subject_args' in self.rule:
            alert_subject_args = self.rule['alert_subject_args']
            alert_subject_values = [lookup_es_key(matches[0], arg) for arg in alert_subject_args]

            # Support referencing other top-level rule properties
            # This technically may not work if there is a top-level rule property with the same name
            # as an es result key, since it would have been matched in the lookup_es_key call above
            for i in xrange(len(alert_subject_values)):
                if alert_subject_values[i] is None:
                    alert_value = self.rule.get(alert_subject_args[i])
                    if alert_value:
                        alert_subject_values[i] = alert_value

            alert_subject_values = ['<MISSING VALUE>' if val is None else val for val in alert_subject_values]
            return alert_subject.format(*alert_subject_values)

        return alert_subject