Hi, wondering if theres a way to limit alerts for events that occured in last 5 min only
right now my rule is querying an index, and its pulling thousands of hits, but these are historical
is there any way to limit search to current timestamp minus 5 min? Cant figure out how to limit the search timeframe to last X min,
name: SDP DEV - errors
is_enabled: false
# Alert on x events in y seconds
type: frequency
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 5
filter:
- query:
query_string:
query: |
host.hostname:web05 AND (log.file.path:*MessagingService*.log OR log.file.path:*general.log)
AND (message:"*ERROR*" OR message:"*error*" OR message:"*Error*")
index: filebeat-*
# if errors continue send a new alert after x minutes
realert:
minutes: 0
query_key:
- log.file.path
Hi, wondering if theres a way to limit alerts for events that occured in last 5 min only
right now my rule is querying an index, and its pulling thousands of hits, but these are historical
is there any way to limit search to current timestamp minus 5 min? Cant figure out how to limit the search timeframe to last X min,