Hello,
I have a scenario to identify if any spike on incoming work items. There is a huge spike around 57000 for works arrived when compared to a max range of 27000 last 3 months as shown below.
I tried to use a spike rule with below settings:
es_host: xxxxxxx
es_port: 9200
name: Event spike
type: spike
index: work-2021-02
threshold_cur: 1
#threshold_ref: 0
timeframe:
hours: 2
spike_height: 2
spike_type: "up"
filter:
query:
query_string:
query: "(METRIC_TYPE:WORK_ARRIVED) AND (not WORK_TYPE:Integration Error) AND (WORK_TYPE : TT-214)"
type:
value: "some_doc_type"
alert:
"email"
email:
xxxxxxxxxxxxxxxx.com
Tested rule with below command:
elastalert-test-rule --days 25 example_rules/elastspikerule.yaml
If i test the rule with same time range when the spike occurred, still i don't get any hits. Kindly let me know if my configurations are fine?
Thanks..