Question about rule functioning #1415

ngms17 · 2024-04-03T11:40:04Z

ngms17
Apr 3, 2024

I have a rule that is running every minute. I noticed that the logs show this:

Apr 02 16:54:16 evesuri elastalert[15474]: INFO:elastalert:Queried rule Flows spike from 2024-04-02 16:53 WEST to 2024-04-02 16:54 WEST: 40317 hits
Apr 02 16:54:16 evesuri elastalert[15474]: INFO:elastalert:Queried rule Flows spike from 2024-04-02 16:54 WEST to 2024-04-02 16:54 WEST: 0 hits
Apr 02 16:54:16 evesuri elastalert[15474]: INFO:elastalert:Ran Flows spike from 2024-04-02 16:53 WEST to 2024-04-02 16:54 WEST: 0 query hits (0 already seen), 0 matches, 0 alerts sent

The rule runs correctly between 16:53 and 16:54. But i why does it show hits from 16:54 to 16:54?

Then it seems that the rule only count the hits from 16:54 to 16:54...

Can someone please explain to me why this happens?

Thanks!

Answered by jertel

Apr 3, 2024

The query hits value in the last log line is misleading. It's only representing the most recent query, even though this rule run consisted of multiple queries (broken into time segments). The log line could show cumulative hits, but for whatever reason the author chose to show the most recent queries hits.

Regardless, the number of matches is the important metric in that log line. It's saying that neither of the two queries for this rule run found a match. It would depend on the rule type and rule parameters to determine what constitutes a match.

Terminology:

Hits are the number of records the query found.
Matches are the number of times the query records exceeded the threshold for the ru…

View full answer

jertel · 2024-04-03T12:04:03Z

jertel
Apr 3, 2024
Maintainer

The query hits value in the last log line is misleading. It's only representing the most recent query, even though this rule run consisted of multiple queries (broken into time segments). The log line could show cumulative hits, but for whatever reason the author chose to show the most recent queries hits.

Regardless, the number of matches is the important metric in that log line. It's saying that neither of the two queries for this rule run found a match. It would depend on the rule type and rule parameters to determine what constitutes a match.

Terminology:

Hits are the number of records the query found.
Matches are the number of times the query records exceeded the threshold for the rule to trigger an alert.

Example:

Suppose you have a rule that only triggers an alert when a record's field value is over 7.0.
The query finds 3000 records that match the rule filter, but none of them have a field value over 7.0.

Result:

Hits = 3000
Matches = 0

1 reply

ngms17 Apr 3, 2024
Author

Thanks for the reply! I understand it.

Now when this spike rule triggers it sends an email, but the email Does not show any specific values. Most of the fields are with value "0".

The body of the email is this:

Flows spike

An abnormal number (0) of events occurred around 2024-04-03 13:25 WEST.
Preceding that time, there were only 0 events within 0:01:00

@timestamp: 2024-04-03T12:25:12.590025Z
num_hits: 0
num_matches: 1
reference_count: 0
spike_count: 0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Question about rule functioning #1415

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Question about rule functioning #1415

ngms17 Apr 3, 2024

Replies: 1 comment · 1 reply

jertel Apr 3, 2024 Maintainer

ngms17 Apr 3, 2024 Author

ngms17
Apr 3, 2024

Replies: 1 comment 1 reply

jertel
Apr 3, 2024
Maintainer

ngms17 Apr 3, 2024
Author