Kibana rule false positivie

amityahav · May 22, 2023, 2:06pm

Hey there,
We have alerting rules in our company which are triggered even though it seems that they shouldnt

in this example i've configured the alert to trigger when then number of docs is below 75k for the last 30mins. and when running the "Test query" i can see that in the last 30m there are over 290k docs. hence the alert should not fire and as you can see it is active.

then i copied the DSL query using "Copy query" and ran in console under <OUR_INDEX>/_search and saw that the number of hits are limited by 10k

then i've modified the threshold of the rule to below 9999 to see if the alert is still triggered.,
and surprisingly it is recovered, which means maybe that it checks the doc count against the limit (10k)?

Please help me figure this out, thanks!

amityahav · May 24, 2023, 1:10pm

bumping

maryam-saeidi · May 31, 2023, 1:25pm

Hi @amityahav ,

Indeed that's the limitation related to track_total_hits mentioned here

track_total_hits

(Optional, integer or Boolean) Number of hits matching the query to count accurately. Defaults to 10000.

If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query.

Have you tried using query DSL instead of KQL or Lucene and passing track_total_hits there?