Kibana rules de-duplication behavior

Tkachleo · September 26, 2021, 1:57pm

Hi,
I'm experiencing an issue with the behavior of Kibana Rules.
I have Metricbeat writing different metrics to Elasticsearch every 10 seconds.
I want to create rules using Elasticsearch Query over the values that are being inserted.
i.e. I want to be alerted when a specific value drops below 90.
I configured the rule to run every 5 seconds for fast notifications.
What i'm experiencing is:

The rule is triggered and a notification is sent.
After 5 seconds, the next time the rule is querying the condition, it's being recovered, even though no new data inserted to Elasticsearch.

So after another 5 seconds (when Metricbeat is indexing new data), if the value is still below 90, i will be notified again, even though it wasn't actually recovered.
And when the value will actually be recovered, i wouldn't be aware of it, since it was "auto-recovered" after 5 seconds.

Any idea how to get around this issue?

Thanks in advance!

ying.mao · September 27, 2021, 12:54pm

Hi @Tkachleo, here is a detailed explanation of the deduplication behavior in the ES query rule, which occurs when the schedule interval is smaller than the time window of the query. Can you set your schedule interval to 10 seconds to match the ingest interval of Metricbeat?

Tkachleo · September 29, 2021, 4:53am

Yes, actually i played around with it, and it did seem to solve the issue, but here's a small complication - one of the indices i want to set rules for is not coming from Metricbeat, and I cant reliably know what'll be the rate if the insertion. Any way around the "recovery" of the rules in this case?
Thanks!

system · October 27, 2021, 4:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.