Qmando
commented
8 years ago Yes, it will alert. That configuration looks fine.
timeframe can be as long as you want. buffer_time just affects how big each individual query is, events will stay in memory for the entire duration of the timeframe.
If I have an alert configured like this:
type: frequency
run_every: minutes: 10 buffer_time: minutes: 10 realert: minutes: 10 num_events: 2 timeframe: minutes: 30
Will it ever fire, because the buffer time is lower than the timeframe?? Or do previously caught documents persist in memory for the frequency calculation??