We ingest incident data into a single incidents index. If a document with a priority 1 incident is created in the index, the document will keep it's priority 1 status and its "Open" status for an indefinite amount of time. We want to query this index for any P1/open incidents but only ever alert one time. Currently I have it set to query the index for any P1/open incidents created in the last twenty minutes, and I have a 30 minute throttle period defined, and that will work ok except for if there is a delay in ingesting data. For example: a P1 incident is created at 10 AM today, but something in our ingestion pipeline fails, we don't ingest any data between 10-11AM, we get the data in there at 11:00. . .the watch looks for anything from within the last 20 minutes, and doesn't find any.
Does that help?