Elasticsearch query rule with KQL evaluation matched doc count does not work for 10,000

elastic / kibana

Your window into the Elastic Stack

https://www.elastic.co/products/kibana

Other

19.68k stars 8.23k forks source link

Elasticsearch query rule with KQL evaluation matched doc count does not work for 10,000 #176453

Closed XavierM closed 9 months ago

XavierM commented 9 months ago

if you create Elasticsearch query rule with the KQL option, you set a doc count above 10,000 and If there is more than 10,000 documents when you test the query. Then, It will never trigger an alert. However if you changed the threshold to 9,999, then it will trigger an alert.

I think the problem is that search in KQL is not setting the tracking total hits to true. Therefore, we never met the threshold.

Please check SDH

elasticmachine commented 9 months ago

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

jughosta commented 9 months ago

Great catch, @XavierM! Thanks!