From 3dafe20d415369ff25ed10cf29d8630707a121bf Mon Sep 17 00:00:00 2001
From: Nicolas Novelli <nicolas.novelli@intrusa.io>
Date: Tue, 3 Dec 2024 17:42:48 +0100
Subject: [PATCH 1/2] Add
 `aggregation_alert_time_compared_with_timestamp_field` documentation and
 update changelog.

---
 CHANGELOG.md              |  2 +-
 docs/source/ruletypes.rst | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d78af4e1..a3bda8eb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,7 @@
 - None
 
 ## Other changes
-- None
+- [Docs] Add missing documentation of the `aggregation_alert_time_compared_with_timestamp_field` option. - [#1555](https://github.com/jertel/elastalert2/discussions/1555) - @nicolasnovelli
 
 # 2.22.0
 
diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst
index 842d229d..2f942b86 100644
--- a/docs/source/ruletypes.rst
+++ b/docs/source/ruletypes.rst
@@ -526,6 +526,17 @@ aggregate_by_match_time
 Setting this to true will cause aggregations to be created relative to the timestamp of the first event, rather than the current time. This
 is useful for querying over historic data or if using a very large buffer_time and you want multiple aggregations to occur from a single query.
 
+aggregation_alert_time_compared_with_timestamp_field
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``aggregation_alert_time_compared_with_timestamp_field``: This option controls how aggregation works when a rule processes events
+older than ``current time - aggregation window`` and ``aggregate_by_match_time`` is set to true. Defaults to false.
+When false, the expected send timestamp of the pending alert (waiting for additional events to aggregate) is compared with the current time.
+As a result, following events will not be aggregated with the pending alert, because it is considered already notified,
+leading to past events being notified one by one instead of being grouped together.
+When true, it allows the aggregation of events with old timestamps, as long as they are within the aggregation window.
+(Optional, boolean, default false)
+
 realert
 ^^^^^^^
 

From afad5d74fb2def0892fa79b0e776853a521d7a09 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jertel@users.noreply.github.com>
Date: Wed, 4 Dec 2024 08:36:00 -0500
Subject: [PATCH 2/2] Fix changelog link

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a3bda8eb..7e00a4b8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,7 @@
 - None
 
 ## Other changes
-- [Docs] Add missing documentation of the `aggregation_alert_time_compared_with_timestamp_field` option. - [#1555](https://github.com/jertel/elastalert2/discussions/1555) - @nicolasnovelli
+- [Docs] Add missing documentation of the `aggregation_alert_time_compared_with_timestamp_field` option. - [#1588](https://github.com/jertel/elastalert2/pull/1588) - @nicolasnovelli
 
 # 2.22.0