starttime vs timeframe

[NDevox]

Running alerts with a timeframe seems to be completely overrun by starttime, which seems to be based on run_every.

Essentially I want to run frequency (and various) other checks over the last, for example, 2 hours, but I want to run it ever 5 minutes and re-alert after 2 hours.

However when I do this it runs every five minutes, checks over the last 5 minutes, and will re-alert in 2 hours. The timeframe it checks seems to get overridden.

example:

es_host: localhost
es_port: 9200
name: test_frequency
type: frequency
index: logstash-*
num_events: 5
timeframe:
    minutes: 60
buffer_time:
    minutes: 60
use_count_query: true
doc_type: solr
filter: []
alert: email
realert:
    minutes: 10

The run_every in config is set to 30 seconds.

In this case the timeframe checked is 30 seconds not 60 minutes.

Any ideas? I think this is due to start defaulting to present.

[Qmando]

Each query is only 30 seconds wide, but all the data is stored, so if 5 events occur within two hours, it will alert. buffer_time only determines the query window size when use_count_query: false, then it would query 60 minutes every time. Another option is to add query_delay: hours: 2, which would push the queries back two hours.

[NDevox]

Makes sense.

Is there a way to output what the query is when running? It would be good to see what exactly is being asked for each time.

[Qmando]

Add the option --es_debug_trace

[NDevox]

Thanks will do.

On Mon, Jan 25, 2016 at 5:06 PM Quentin Long notifications@github.com wrote:

Add the option --es_debug_trace

— Reply to this email directly or view it on GitHub https://github.com/Yelp/elastalert/issues/383#issuecomment-174586919.