When creating an Alert with a webhook action, I have to fill out
Check every
Select an index and size
When number of matches
See screenshot below.
Question 1 =)
If check every is 1 day, and index size is the default 100. How is the possible to get 1000 matches in 5 minutes (default value)? I would have expected the max number of matches would the the index size?
Question 2 =)
If I have understood documents correctly, then they are the log lines/log entries?
If that is correct, why would one want to set an index size? Let's say Check every is 1 day, and more than 100 documents/log lines/log entries have been created. Why would I only want to search in the last 100 and not all created in the last day?
Question 3 =)
Why would one want to set the threads-hold "For the last" to a value less than Check every?
The size parameter for Elasticsearch query controls the maximum number of documents that are available to you inside the context variables when your rule meets the specified conditions. It does not limit your query to only searching inside the first {size} documents in an index.
For example, if you specify a query, where during execution, the query matches 554 documents within an index, having a size parameter of 100 will allow you to have access to the first 100 documents (within the context.hits context variable) that matched the query, but the condition check uses the actual match count (in this case 554). Here is the documentation for using context.hits within your action: Elasticsearch query rule docs
context.value will give you the actual number of documents that matched your specified query and was used to evaluate the rule condition. The reason we added the size parameter is because returning the actual documents that are matched does put some load on the system. If you don't see a need for accessing the source documents, you could set the size parameter to 0.
I hope that addresses Questions 1 and 2!
WRT Question 3, the alerting framework allows this flexibility so that users can have the choice to set the For the last value to less than Check every if that makes sense for their use case. Perhaps they expect to receive some documents at a particular time every day, so they set their rule to check every 1d but just in the last 1h because that is all they care about. That being said, we do have an issue open around allowing each rule type to automatically set the Check every value based on the For the last time window. It sounds like for your use case, you want to check every 1d for the last day, in which case I would set both values to 1d.
I hope that helps! Please let me know if there's anything that's still unclear.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
