Some intermitent trigger

[lennonpcwb]

I have a basic flow like most of ones here,
Kibana have the full payload using actions thru connector:
One Action to trigger alert,

and another one to trigger the recovered..

the connector write inside the index i've set, no problem... with these news related to decom of ms_teams webhook I migrate to use ms_powerautomate, the alerts when trigged it's ok, but when I change the alerts to use the recovered, isn't trigged even writed in the index.. some times yes some times not.. if I set realert to minutes: 0, if I leave with 1 minute.. sometimes work sometimes not... another problem is related to aggregation, I tried to use aggregation_key by hostname.keyword.. but still when alert or recovered doesn't matter coming only one alert and in this rule it's to 3 vms for example.. only one came..

Follow my actual rule:

rule1ex: |- --- name: "SpecificRule1 - NonProd" type: any index: teams-alerts timeframe: minutes: 1 realert: minutes: 0 filter: - terms: level.keyword: - "Warn" - "Major" - "Critical" aggregation_key: "hostname.keyword" alert: - ms_power_automate ms_power_automate_webhook_url: "{{ $channell }}" generate_kibana_discover_url: true kibana_discover_app_url: "xxxxxxxxxxxxxxx" kibana_discover_index_pattern_id: "xxxxxxxxxxxxxxxxxx" kibana_discover_version: "8.13" ms_power_automate_teams_card_width_full: true ms_power_automate_summary_text_size: large ms_power_automate_body_text_size: medium ms_power_automate_kibana_discover_attach_url: true

Someone have any thoughts in how is the correct way to do that?

[jertel]

You can enable debug logging and follow along between an alert that works properly, and one that does not. Compare those logs to identify the different behavior.