I have an elastalert with type as frequency. If the number of hits is 1000 or more in 60 minutes, it should trigger the alert. The issue is, the moment it reaches 1000 hits within 5-6 minutes, it's triggering the alert instead of waiting for the entire 60 minutes' period. I want it to alert after the 60 minute period is over. I tried adding a realert for 60 minutes but it still did not work. What needs to be done to trigger an alert only when the 60 minutes period is over?
type: frequency
index: logstash-*
num_events: 1000
timeframe:
minutes: 60
realert:
minutes: 60
query_key: site_name
filter:
- query:
query_string:
query: 'NOT site_name: "CCBDN" AND NOT namespace: master'
alert: my_alerts.AlertManager
labels:
severity: major
slack: 'true'
auto_resolve: 'false'
annotations:
summary: Kibana is getting logs from sites other than CCBDN.