I've got ElastAlert service that sends alerts every minute. I've now configured a flatline rule in order to alert me if there has been no new data for the past hour.
As expected, rule ran for one hour to make sure that there have been no events coming in. But then it started sending alerts every minute (respecting config) above. How do I change that and tell ElastAlert to alert me every hour instead of every minute on this specific rule?
Can you set the realert config option to 60 minutes? (default is 1)
realert realert: This option allows you to ignore repeating alerts for a period of time. If the rule uses a query_key, this option will be applied on a per key basis. All matches for a given rule, or for matches with the same query_key, will be ignored for the given time. All matches with a missing query_key will be grouped together using a value of _missing. This is applied to the time the alert is sent, not to the time of the event. It defaults to one minute, which means that if ElastAlert is run over a large time period which triggers many matches, only the first alert will be sent by default. If you want every alert, set realert to 0 minutes. (Optional, time, default 1 minute)