How does num_event:0 works? #1500
-
|
Hello community, num_events:0 does the above condition only trigger an alert when there are 0 events in 15 minutes? according to documentation, num_events is the minimum no of events, inclusive. Does 0 means greater than or equal to 0. I want to create an alert when no new event is logged. I did not find anyone use num_event: 0. If it does not work, how can we alert when no new events are logged? Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Seems like flatline using threshold as 1 suits this scenario. Flatline vs Frequency type is something not clear. |
Beta Was this translation helpful? Give feedback.
-
|
This is documented and already explains which fields are required and which are optional. Frequency: https://elastalert2.readthedocs.io/en/latest/ruletypes.html#frequency |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your response, As per doc, num_events is the min no of events, inclusive. Is there a workaround on it. I meant, when num_events is 0, it should br (false), it should consider that no events will be logged. But when num_events is greater than 0, (true), it should expect some events will be logged. And then it should work as its definition as the min no of events inclusive. Is this feature already working as expected? |
Beta Was this translation helpful? Give feedback.
-
|
Flatline was added as an extension of Frequency rule to handle the alerting due to lack of logs. You are asking if Frequency can alert on a lack of logs and that is not supported. Using a |
Beta Was this translation helpful? Give feedback.
Flatline was added as an extension of Frequency rule to handle the alerting due to lack of logs. You are asking if Frequency can alert on a lack of logs and that is not supported. Using a
num_events: 0might see some specific scenario where it does send an alert but most situations will not work. Ex: Using a long timeframe where a prev run found some logs (alert) and the next query finds no logs and is able to alert again, using the previously found record as the alert data. But it's untested, unsupported, and not recommended.