num_events for a frequency rule #1438
Replies: 3 comments 17 replies
-
You should review the debug logs, looking at hits vs matches on each rule run, and compare that to the timeline of the matching documents' @timestamp fields. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Valid point @jertel ! See also the attachments:
Could you please help us with that ? |
Beta Was this translation helpful? Give feedback.
17 replies
-
Let's archive this discussion until more evidence is gathered. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello!
We 've been using a frequency rule with a configuration similar to the below:
The rule is executed every minute and is expected to check if more than 10 documents during the last 5 minutes match the query.
Nevertheless, we have seen several cases whereby the alert is triggered even if less than 10 documents match the query.
Is there a way to troubleshoot this ?
P.S: ElastAlert2 is launched as a Docker container via the following command:
P.S2: We are still using 2.12.0 because newer versions fail to start. That's something for another discussion thread, though.
Beta Was this translation helpful? Give feedback.
All reactions