Kibana rule false positivie

amityahav · May 22, 2023, 2:06pm

Hey there,
We have alerting rules in our company which are triggered even though it seems that they shouldnt

in this example i've configured the alert to trigger when then number of docs is below 75k for the last 30mins. and when running the "Test query" i can see that in the last 30m there are over 290k docs. hence the alert should not fire and as you can see it is active.

then i copied the DSL query using "Copy query" and ran in console under <OUR_INDEX>/_search and saw that the number of hits are limited by 10k

then i've modified the threshold of the rule to below 9999 to see if the alert is still triggered.,
and surprisingly it is recovered, which means maybe that it checks the doc count against the limit (10k)?

Please help me figure this out, thanks!

amityahav · May 24, 2023, 1:10pm

bumping

maryam-saeidi · May 31, 2023, 1:25pm

Hi @amityahav ,

Indeed that's the limitation related to track_total_hits mentioned here

track_total_hits

(Optional, integer or Boolean) Number of hits matching the query to count accurately. Defaults to 10000.

If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query.

Have you tried using query DSL instead of KQL or Lucene and passing track_total_hits there?

Topic		Replies	Views
Elastisearch query rule type hits contains only one document Logs elastic-stack-alerting	16	1956	August 30, 2021
How to alert based on filter query count? Index Threshold Rule Type? Kibana	2	598	January 2, 2023
Alert if index has 0 documents in last X minutes (Rules and connectors or Detection Rules) Kibana elastic-stack-alerting	6	600	September 8, 2022
Create Alert from index data Kibana elastic-stack-alerting	5	1565	August 16, 2022
How to create alert monitor where hits is over 100 Kibana elastic-stack-alerting	7	831	September 14, 2020

Kibana rule false positivie

Related topics