I've been trying to understand the meaning of num_hits as it relates (if at all) to num_matches. I understand now that when I get an alert, the num_hits is pretty meaningless as it only says what were the number of hits for the latest query.
But what I don't understand is how, for a given timeframe, say 2021-11-29 22:06 UTC and 2021-11-29 22:16 UTC, reported num_hits is 121, while directly viewing the data in Kibana shows 89 hits. As I understand, hits refers to documents retrieved in a single query, so how can this be possible? from what I gather, num_hits should be at most89 in this case, but I wouldn't be surprised if I'm wrong.
For reference/context I'm attaching some properties of my rule:
I've been trying to understand the meaning of
num_hitsas it relates (if at all) tonum_matches. I understand now that when I get an alert, thenum_hitsis pretty meaningless as it only says what were the number of hits for the latest query.But what I don't understand is how, for a given timeframe, say
2021-11-29 22:06 UTCand2021-11-29 22:16 UTC, reportednum_hitsis121, while directly viewing the data in Kibana shows89hits. As I understand,hitsrefers to documents retrieved in a single query, so how can this be possible? from what I gather,num_hitsshould be at most89in this case, but I wouldn't be surprised if I'm wrong.For reference/context I'm attaching some properties of my rule: