So are you sure that you have some events on that interval+look-back time?
As for a test you can increase your look-back time and check if it catches the old events. But for the real use case, you probably don't want the very big look-back time (because it will reprocess all old queries for each execution)
Oh sure. I generate events, and I specifically wait for the rule to be worked out.
It is noteworthy that the correlation rules work properly, those that I created myself.
Yes, it's quite strange if you don't see any alerts in the rule, but see events in discovery for this time range.
Maybe it can be a good idea to debug this rule, it's a create a several a new one which contains only part of query like: event.category : "network". Then you can see which rule has alerts, and which hasn't and maybe it five you the clue
Hi @Yuriy_Tsarenko, Sorry you are having trouble with your custom query rule producing expected alerts.
As a test, I created a similar rule on my 8.3.3 system, and it seems to be working fine for me. I have an alert for every document that appears in Discover. I am not aware of any query behavior differences between 8.3.1 and 8.3.3.
Here is my rule (of course, its query contains a different value of destination.domain), but is otherwise identical to your rule query
You can see over the past 56 hours, it generated 169 alerts, one for each document that matches the query. It runs every 5 minutes with 1 min additional look-back time.
Here is Discover over the same time period, by taking the rule query, and just pasting it into the KQL query bar. You can see I also get 169 documents.
One possibility is what @Nikita_Khristinin suggested earlier. Is there any chance that your data is delayed significantly before it is ingested into Elasticsearch? If it were delayed more than 9 minutes, then your rule query would "miss" it. Sometimes these delays can be caused by external queuing systems, or system clocks that are out of synchronization, or other conditions.
As a test to rule this out, can you modify your rule to have an additional look-back time of 20 minutes? And let us know if this makes a difference?
Thank you very much for your help and advice. The problem was solved, but I can not unequivocally point to its causes.
Steps:
Updated time sync.
Deleted my rule.
Created a new one, but without specifying the domain.
And alerts began to come, just before that, all services and the server itself were restarted.
Something subtly influenced the fact that the rule did not work correctly.
Next, I added the domain to the request, and continued to receive alerts properly.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.