Question on frequency rule behavior - need some light on how run_every and timeframe params are used to determine a match

[rpotnuru]

Hey Guys,
We are trying to run few frequency type rules, and the global run_every is set to 1 min and the timeframe in my frequency rule is set to 5 mins.
When I verify the start time and end time of the rule stats under status index, I always see that the rule is running for the only 1 min, instead of 5 mins. Could some one please help me understand the behavior of frequency rule scheduling.

Appreciate your help in this regard.

[jertel]

Hello. The subject of this discussion is misleading. It's stating that frequency rules do not respect the timeframe parameter. However, it appears more like you are unsure of how ElastAlert 2 is designed to function.

All rules are queried against Elasticsearch every 1 minute, or as specified in the run_every parameter. Upon each execution, the rule looks backward over the specified timeframe to determine if an alert should be triggered.

[rbkumar88]

Hi, @jertel but during rule execution, its not looking backward over the specified timeframe but rather only till the last time it ran.

[jertel]

It collects in memory what is sees every minute, and compares that total to the num_events parameter. See the ruletypes.py source code between lines 232 and 271.

elastalert2/elastalert/ruletypes.py

Line 232 in 27deb8a

def add_data(self, data):

ElastAlert 2 needs to run for the entire timeframe duration before it will start alerting.

[rbkumar88]

does it work the same way when we have use_count_query set as true

[jertel]

Yes, see lines 213-222.

[rpotnuru]

thank you @jertel for a quick response, I updated the subject.

Does that mean that after each run, is sums up the matching events in last 5 runs (in my case) to determine whether there is a match or not?