Hi,
I would like some help in the Rules and Connectors folder,
I created rules based on an Elasticsearch query to detect the number of matches, using a custom threshold that I want to set myself.
However, I don't understand the behavior of the rule's status:
- On the first execution, the rule becomes Active because the number of matches exceeds the defined threshold.
- On the second execution, the rule switches to OK, even though the number of matches is still above the threshold.
I expected the rule to remain Active as long as the match count stays above the threshold, but this isn't happening.
Can someone help me understand why this occurs and how to configure the rule so that it stays Active as long as the threshold is exceeded?
Thank you very much
Hello,
Your understanding is correct, ideally the rule should remain active if it matches your query in second execution.
Maybe we need to review the logic of the query or check execution log for second execution as to what was returned because of which it is updating the status to Recovered.
Without knowing the query & rule information we will not be able to provide any further input.
Thanks!!
Hello @Tortoise , thank you for the answer.
To give more details, I check every 30 seconds, and Notify: Only on status change (i have tried them all, all same result) I have my index and my Elasticsearch query is :
"query": {
"bool": {
"filter": [
{
"match": {
"my_field": "Danger"
}
}
]
}
}
}
When I test the Query, it return 10
And in When nulmber of matches I put, is above or equals 3 for the last 1 Day
In the When number of matches help it say : "The time window defined below applies only to the first rule check" but I need it to check: above or equals 3 for the last 1 Day everytime (every 30 seconds!)
Thank you very much
Thank you @elastic_interogation for sharing the details.
I have tried to create a test rule & do not see any issues :
It seems you have enabled below because of which it gets recovered if there are no new records & count of records remains same for that duration, if you uncheck it , the alert will remain Active
Thanks!!
Thanks you very much for trying all of that, it seem's that I may have less functionality available here
I don't have Exclude matches from previous run..
thanks!
1 Like
