Configuring Correct Monitor Schedule in Kibana: Have Schedule Set as 24 Hours or Throttle Action for 24 Hours?

Hello!

I have a simple question that I can't seem to find the answer to. If I select 24 hours as the Kibana monitor schedule, when the extraction query for the alert is run, will it catch everything that met the condition within the last 24 hours and condense that into one alert or will it only alert if there's something that's meeting the alert condition at the time it's run? Basically, does it check over the last 24 hours (or however long the interval schedule is) or just that instant?

If I only want one alert every 24 hours regardless of how many times a condition is met, I'm trying to determine if it's better put the monitor on a 24 hour schedule or run more often (say every minute) and throttle actions to only trigger every 24 hours.

Any advice or insight is appreciated!

What it catches also depends on the query that you're running in the Alert. So make sure that correlates with the schedule interval.

There is a pretty good description of throttling scenarios here: Alert throttling · Issue #42749 · elastic/kibana · GitHub

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.