Hello,
I have question regarding set up of the monitor interval in connection to the filter on timestamp.
So for example when i setup my monitor interval for 10 minutes and filter in the extraction query like:
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-10m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
I am getting alert with
- Count: 46
- Period start: 2021-10-18T00:30:04.640Z
- Period end: 2021-10-18T00:40:04.640Z
And for example, when I run the extraction query in the Edit monitor with filter from below, I am getting 48 hits. What might be the reason of this difference?
How should I set up filter “from”: “{{period_end}}||-10m”, in correspondence to Monitor interval, so they will not overlap and will also not miss any alarms/hits?
"filter": [
{
"range": {
"@timestamp": {
"from": "2021-10-18T00:40:04.640Z||-10m",
"to": "2021-10-18T00:40:04.640Z",
"include_lower": true,
"include_upper": true,
"boost": 1
}
}
}
],