search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.99k stars 1.74k forks source link

10,000 query hits limit for 'metric_aggregation' rules #3027

Open sebastienbonami opened 3 years ago

sebastienbonami commented 3 years ago

Hi, I have several 'metric_aggregation' rules and I noticed that some of them return 10,000 query hits every time.

So now I'm wondering where's that 10,000 limit and how I can increase it?

I tried changing the value of max_query_size, but it didn't work. According to the documentation, by default it's supposed to scroll until processing all results, right?

Thank you.

sebastienbonami commented 3 years ago

Thanks for the help. I'm using 'metric_aggregation' as the rule type so AFAIK it's not possible to set use_count_query in this case.

Any other ideas?

Thank you.

sebastienbonami commented 3 years ago

I've looked at this again and setting the value of max_query_size, max_scrolling_count, scroll_keepalive and max_aggregation still keep the query hits of my rules at 10,000.

It seems ElastAlert is not scrolling at all. If we look at #1723, we see in the logs that's it's scrolling, but I never saw something like that in my logs.

Thanks for the help.

sebastienbonami commented 3 years ago

@nsano-rururu Closing or deleting indices is not acceptable for me as I want to query all the data (within 5 minutes for example where sometimes is more than 10,000 results which I don't consider to be excessive).

sebastienbonami commented 3 years ago

@nsano-rururu I see. The thing is, this is not a performance issue, but rather a limitation or a bug. Why a rule stops querying after reaching 10,000 hits? I still don't have the answer to that question.

If you find a similar issue in a past issue, we will contact you.

I don't understand what you mean by that.

Thank you.

nsano-rururu commented 3 years ago

Yelp/elastalert is no longer maintained. Please use jertel elastalert. Questions to the discussion below https://github.com/jertel/elastalert/discussions

nsano-rururu commented 3 years ago

@sebastienbonami

If track_total_hits is set to true, 10,000 hits or more can be searched, but since the option is not used in elastalert, it cannot be changed.

Elasticsearch version 7.0.0 Release note https://www.elastic.co/guide/en/elasticsearch/reference/current//release-notes-7.0.0.html

Track total hits up to 10,000 by default

https://elasticsearch-py.readthedocs.io/en/7.x/api.html

track_total_hits – Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.