mrchang7
commented
6 years ago Adding 'terms_size: 100' solved this issue without using "use_terms_query" option.
But I still cannot understand why, as the documentation says this option is about the number of "terms" (or fields?) that the query would fetch from the elasticsearch, not supposed to be the number of "values" of the query_key. I guess it could be related to the result from the metric aggregation query. Any explanation would be appreciated.
p.s. does elastalerts use the terms aggregations? https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html
Hello,
I'm using metric_aggregation and testing how many alarms can be generated by the elastalert. (I'm assuming I cannot use compound key with metric aggregation yet. Please let me know if it's available in the latest version)
The metrics coming from many simulated nodes to elasticsearch and there is no data loss. I'm using query_key for the unique id of those nodes to generate the same alerts (of command type). In my rule, I'm not using 'use_count_query' nor 'use_terms_query' option.
From my observation, the elastalert generates the expected X number of alarms as long as I run up to 50 nodes. But if I use, say Y more nodes than 50, the number alarms being generated is reduced by the amount of Y.
If anybody could give a clue to this problem problem I would appreciate it. Or any test methods that I can try out?
Thanks!