Rules don't create alert when value 0 or index not exist

Elastic Stack Kibana
1

Kibana v 7.13.3

Hi! I created Rule with "Index threshold". I set

INDEX (I chose index pattern for datastream and "Time field")
WHEN count()
OVER all documents
IS BELOW 10000
FOR THE LAST 10 minutes

Problem: When events enter the index rule works is fine. When docs less then my value in "IS BELOW 10000" a get allert.
BUT if index(datastream) is absent or docs isn't enter to index mode then value "FOR THE LAST " I see on the "Alert Visualisation" that "count()" is zero it's less when trashhold. But alert doesn't work. I tried set instead BELOW to BETWEEN and use value from 0 to 1 but it doesn't help me.

2

Hi Andrei :wave:

I believe you've encountered a bug that was fixed in 7.14.1 and 7.15.0: [Alerting] Allow rule to execute if the value is 0 and that mets the condition by chrisronline · Pull Request #105626 · elastic/kibana · GitHub

I'd recommend upgrading to the latest version if you can.

If you're curious about why this is happening - aggregations don't return values when there is no data, and we mistakenly missed an edge case where this wasn't handled correctly.
This should now be addressed fully. :slight_smile:

3

Very Very big ThanX.

1 Like
4

Any time :elasticheart:

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.