"Aggregation" doesn't work for my config

[BrianNiu]

here is part of what I config for my frequency rule, and I am expecting elastalert will consolidate all matched documents and sent them all together in one Email, per minute. But what actually happened is that it will send out the mail occasionally, i have no clue about when it will be triggered. Please help, Thx!

num_events: 0 timeframe: minutes: 1 aggregation:

schedule: '* * * * * *'

And from log I could see some logs mentioned "Ignoring match for silenced rule ***", which is not what I am expecting also.

Thanks.

[Qmando]

Try adding

realert:
  minutes: 0

also, num_events: 0 doesn't really make sense. You can replace num_events and timeframe with type: any instead.

[BrianNiu]

OK, trying. And what does 'minutes: 0' mean?

[kiawin]

@BrianNiu it means it will not ignore alerts

You can read more here https://elastalert.readthedocs.org/en/latest/ruletypes.html#realert

[BrianNiu]

Thanks, Kiawin. But from what's being said in doc you shared, it also mentions "aggregation: This option allows you to aggregate multiple matches together into one alert. Every time a match is found, ElastAlert will wait for the aggregation period, and send all of the matches that have occurred in that time for a particular rule together."

So you mean, "aggregation" will ignore some matched docs rather than giving all matches in one alert?

[kiawin]

@BrianNiu So let's say our run_every is set to minutes: 1 (check to be performed every 1 minute), aggregation is set to minutes: 3 (only consider as an alert if rule matches for consecutive 3 minutes), and realert is set to minutes: 0 (do not ignore any repeating alerts), then we should be getting alerts as per aggregation value (if we assume the rule matches all the time).

However when we set realert to any value other than minutes: 0, then the subsequent alert may be ignored (and hence not triggered) depending on the realert value.