I am exploring the Kibana alerts feature by creating rules and trying to index the actions in an index..
I have it working, though the behavior of it seems unexpected (atleast from where I am standing)..
The rules interface has this note
If the time window is greater than the check interval and a document matches the query in multiple runs, it is used in only the first threshold calculation.
If I understand this correctly based on the behavior that I am seeing, if some documents matched in the earlier rule run, they will not be considered to evaluate against the threshold in the next run..
for ex, I set check every to 1 minute so that I get alerted as early as possible when things go wrong..
and, if I set time window to 120 minutes; even though there may be errors in last 120 minutes, alarm may not be considered active if errors didn’t happen between the last run and now (which is basically, last 1 minute)..
so, I might as well set the time window to 1. When would one want to set a very high value for time window compared to Check every?
(Ideally, what I am looking for is "Alert when the number of errors/timeperiod is greaterr than a certain threshold for last N time periods", similar to AWS Cloudwatch alerting behavior)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.