Watcher issues using ranger query for @timestamp with slow processing speed

Jasonespo · June 24, 2020, 9:48am

Hi guys,

So I was wondering today if there would be a better way to do use watchers. We use the below to search the past 2minutes worth of data for anything that matches our query.

   "filter": [
            {
              "range": {
                "@timestamp": {
                  "gte": "now-{{ctx.metadata.window_period}}"

It works as I expect however it poses issues if we have slow processing speed.

When considering the below screenshot, data is being "back filled" and will never be queried by our watchers.

Is there a way that we would be able to use our range query to query something like the last log time -2minutes?

Thanks in advance

Jasonespo · June 29, 2020, 2:06pm

bump

system · July 27, 2020, 2:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.