Query DSL alert configuration

I am trying to use the Elasticsearch Query DSL to create an alert

The query consist of LIMIT 100 but the actual output is actually less than 10.

When I did run the test query . Query matched 852597 documents in the last 5m.

What am I doing wrong or missing out?

###Settings below is default

Set the group, threshold, and time window

when count()
over all documents
Is above 10
for the last 5 minutes

Set the number of documents to send

Size 10

Hello @Whoami1980

As you are using query DSL :

image871×519 23.4 KB

Query matched 1150 documents in last 5d
Size → Controls how many docs are RETURNED/SENT

Now if you are saying that as per your index data your query has only 5-10 records matching your query but in Query DSL more count is shown than the issue is with the query which is executed & that needs to be reviewed.

Thanks!!

This is the query i am using . i am not sure what else is wrong

POST /_query?format=txt
{
  "query": """
  FROM ABCD*:metrics-logstash*
|   WHERE @timestamp > NOW() - 60 minutes
    AND (logstash.pipeline.total.queues.current_size.bytes) IS NOT NULL
    AND (logstash.pipeline.total.queues.max_size.bytes) > 0
|   STATS 
      max_workers      = MAX(logstash.pipeline.info.workers),
      max_batch        = MAX(logstash.pipeline.info.batch_size),
      max_pq_bytes     = MAX(logstash.pipeline.total.queues.current_size.bytes),
      max_queues_size = MAX(logstash.pipeline.total.queues.max_size.bytes)
    BY host.hostname, logstash.pipeline.name
|   EVAL pq_percent = ROUND((TO_DOUBLE(max_pq_bytes) / max_queues_size) * 100, 2)
|   WHERE pq_percent > 40
|   SORT pq_percent DESC
|   LIMIT 10
    """

Hello @Whoami1980

If you want to check for last 5 minutes than it should be minus 5 minutes :

Thanks!!

@Tortoise

Our query DSL is "FROM :metrics-logstash"

However when creating the alert rule it needs to select specific indices.

Is it possible to use wildcard?

Also when we specific some indices.

There isnt any time field to select. Any advice