This is more likely real-time monitoring system, sending data by collectd and storing it into ES using LS. Given the same query string and window (in milliseconds) elastalert sometimes report less hits than what I can find in the ES. I guess the elastalert might send the query slightly early (few seconds) before the data actually come down to the elasticsearch. It misses 1 or 2 hits even though the full data events are found in ES. Can I configure the elastalert to query with a slight delay? Or am I guessing in a wrong way?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.