Hi, for alerts I am doing query on discover and then copy it from inspect, but there in query date is not relative but absolute. How can I do it in alerting for auto query only for like last 5 minutes or so? What I mean I want query every X minutes which check ES only for reasults from last 5 minutes, not for all records or limited by absolute date (which have no sense).
Hi @cyberzlo
You could use “Range query” to filter the result when defining the monitor, see this for detail: Range query | Elasticsearch Guide [8.4] | Elastic
In your use case, the query might be: (assume timestamp is the field stores the time)
{
"query": {
"range" : {
"timestamp" : {
"gte" : "now-5m",
"lt" : "now"
}
}
}
}
And then set the Monitor Schedule to run the monitor every X minutes.
Tianli