ElastAlert triggering in 5 minutes instead of waiting for 60 minutes

I have an elastalert with type as frequency. If the number of hits is 1000 or more in 60 minutes, it should trigger the alert. The issue is, the moment it reaches 1000 hits within 5-6 minutes, it's triggering the alert instead of waiting for the entire 60 minutes' period. I want it to alert after the 60 minute period is over. I tried adding a realert for 60 minutes but it still did not work. What needs to be done to trigger an alert only when the 60 minutes period is over?

type: frequency
index: logstash-*
num_events: 1000
timeframe:
  minutes: 60
realert:
  minutes: 60
query_key: site_name
filter:
- query:
    query_string:
       query: 'NOT site_name: "CCBDN" AND NOT namespace: master'
alert: my_alerts.AlertManager
labels:
  severity: major  
  slack: 'true'
  auto_resolve: 'false'
annotations:
  summary: Kibana is getting logs from sites other than CCBDN.

Please reach out to the ElastAlert project for help on your issue. We have a watcher product of our own - please check that out as well - here is a quick start guide of that .Please reach out if you have any questions on this.

https://www.elastic.co/guide/en/kibana/current/watcher-ui.html

Thanks
Rashmi

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.