diff --git a/README.md b/README.md
index 1c85c31..03a46ad 100644
--- a/README.md
+++ b/README.md
@@ -77,6 +77,7 @@ A collection of delicious docker recipes.
 - [x] cadvisor
 - [x] casperjs :+1:
 - [x] collectd
+- [x] elastalert
 - [x] freegeoip
 - [x] freeradius
 - [x] frp :cn:
@@ -269,7 +270,6 @@ A collection of delicious docker recipes.
 - [x] cachethq/docker
 - [x] drone/drone
 - [x] drupal
-- [x] elastalert
 - [x] elk
 - [x] flogo/flogo-docker
 - [x] mher/flower
diff --git a/elastalert/Dockerfile b/elastalert/Dockerfile
index de21032..615e205 100644
--- a/elastalert/Dockerfile
+++ b/elastalert/Dockerfile
@@ -6,19 +6,25 @@ FROM python:3.6-alpine
 
 ENV ELASTALERT_VERSION=v0.2.1
 ENV ELASTALERT_HOME=/opt/elastalert
+ENV TZ=UTC
 
 WORKDIR ${ELASTALERT_HOME}
 
 RUN set -xe \
+    && apk add --no-cache \
+        bash \
+        curl \
+        libffi \
+        libmagic \
+        libssl1.1 \
+        musl \
+        tzdata \
     && apk add --no-cache -t .build-deps \
         build-base \
-        curl \
         libffi-dev \
-        libmagic \
         musl-dev \
         openssl-dev \
-        python-dev \
-        tzdata \
+        python3-dev \
     && pip install elastalert==${ELASTALERT_VERSION} \
     && mkdir -p rules \
     && curl -sSL https://github.com/Yelp/elastalert/raw/${ELASTALERT_VERSION}/config.yaml.example > config.yaml \
diff --git a/elastalert/README.md b/elastalert/README.md
index 72391b5..f78ebaf 100644
--- a/elastalert/README.md
+++ b/elastalert/README.md
@@ -7,11 +7,11 @@ patterns of interest from data in Elasticsearch.
 ## up and running
 
 ```bash
-$ docker-compose up -d
-$ docker-compose exec elastalert sh
->>> cd /opt/elastalert/rules
->>> elastalert-test-rule example.yaml
+$ docker-compose run --rm elastalert sh
+>>> elastalert-create-index --config config.yaml
+>>> elastalert-test-rule --config config.yaml rules/example.yaml
 >>> exit
+$ docker-compose up -d
 ```
 
 > ElastAlert will also load new rules, stop running missing rules, and restart
diff --git a/elastalert/data/rules/example.yaml b/elastalert/data/rules/example.yaml
index 4c4db57..a3b54cf 100644
--- a/elastalert/data/rules/example.yaml
+++ b/elastalert/data/rules/example.yaml
@@ -7,8 +7,12 @@ type: frequency
 
 index: logstash-*
 
+doc_type: _doc
+
 num_events: 10
 
+use_count_query: true
+
 timeframe:
   hours: 1
 
@@ -20,6 +24,4 @@ filter:
 alert:
 - command
 
-command:
-- echo
-- "{match[@timestamp]} {match[message]}"
+command: [echo, bad, things, happen]