I have a simple Flatline alert to alert when number of events fall below the threshold. I keep getting this alert at every given interval, even though there is lot of data way above the threshold in the index. My config is:
(Required)
# Rule name, must be unique
name: fraud-impr-flatline
# (Required)
# Type of alert.
#
type: flatline
# (Required)
# Index to search, wildcard supported
index: logstash-fraud*
threshold: 100
use_count_query: true
doc_type: fraud-impr
timeframe:
minutes: 30
# (Required)
# The alert is use when a match is found
alert:
- "email"
# (required, email specific)
# a list of email addresses to send alerts to
email:
- "[email protected]"
This is such a basic alert, but I have never been able to get this working. What am I missing here?
After looking at the logs, figured out it was trying to query @timestamp for the time ranges, whereas my time data was in "time" field. Updated the config to timestamp_field: time and everything worked fine.