Flatline rule wrongly triggered

[fberrez]

I have the same issue. Here is my rule:

name: myRule
description: Sends alerts on flatline
index: myIndex
type: flatline
use_count_query: true
timeframe:
  minutes: 5
threshold: 1

filter:
  - query:
      query_string:
        query: 'fields.metadata.entity: myEntity AND fields.metadata.code: myCode'

# Sets a time interval between two alerts of a same entity
realert:
  minutes: 1

And my kibana result:

We can see that I have one log every single minute. Meanwhile, the alert is triggered (flatline less than 1 in a timeframe of 5 minutes). The interesting thing is the alert is triggered when I set my elastalert config as:

run_every:
  minutes: 1

buffer_time:
  minutes: 10

But the alert will be triggered only if the flatline is confirmed (i.e no log at all in the last 5 minutes, the rule works as expected), when I change it to:

run_every:
  minutes: 3

buffer_time:
  minutes: 10

expected behavior

1. With the config run_every: minutes: 1

• There is 1 hit on the first run (00:00)
• 1 hit on the second run (00:01)
• 1 hit on the third run (00:02)
• 1 hit on the fourth run (00:03)
• 1 hit on the fifth run (00:04)

5 hits on a timeframe of 5 minutes so no flatline (number of hits < 1) -> alert is not triggered

2. With the config run_every: minutes: 3

• There is 1 hit on the first run (00:00)
• 3 hits on the second run (00:03)
• 3 hits on the third run (00:06)

5 hits on a timeframe of 5 minutes so no flatline (number of hits < 1) -> alert is not triggered

[jertel]

I'm unable to reproduce this.

The following rule and config does not trigger an alert, as expected:

name: flatline1
type: flatline
index: frequent
filter:
- query:
    query_string:
      query: 'status: alive'
threshold: 1
timeframe:
  minutes: 5
alert:
- debug
realert:
  minutes: 1

run_every:
  minutes: 1

buffer_time:
  minutes: 10

However, this rule and config does, correctly, trigger an alert:

name: flatline2
type: flatline
index: frequent
filter:
- query:
    query_string:
      query: 'status: alive'
threshold: 1
timeframe:
  seconds: 30
alert:
- debug
realert:
  minutes: 1

run_every:
  seconds: 10

buffer_time:
  minutes: 10

Here is the indexed data:

I'm also attaching the CSV I used to create that index.
frequent.csv

And the debug log showing the details of what's going on for the first 6+ minutes.
frequent.log

[fberrez]

Ok now I have this log:
INFO:elastalert:Ran (PROJECT) name - Logs flatline from 2023-06-27 11:30 UTC to 2023-06-27 11:31 UTC: 0 query hits (0 already seen), 4 matches, 1 alerts sent

What does 4 matches mean?

I tried different config but it doesn't help. Here is the last update:

name: (PROJECT) name - Logs flatline
description: Sends alerts when there is a flatline on the project logs
index: project-*
type: flatline
use_count_query: true
timeframe:
  minutes: 80
threshold: 1

filter:
  - query:
      query_string:
        query: '_id: *'

# Sets a time interval between two alerts of a same entity
realert:
  minutes: 5

start_time: 'SERVICE_ALERT_START_TIME'
end_time: 'SERVICE_ALERT_END_TIME'
drop_if: 'outside'

match_enhancements:
  - 'elastalert_modules.hour_range_enhancement.HourRangeEnhancement'

# Defines alert output
alert:
  - 'slack'

slack_webhook_url: https://.....
slack_username_override: elastalert

# Builds alert message
alert_text_type: alert_text_only

alert_subject: '[PROJECT] Flatline'

alert_text: 'Project did not send logs for the last 80 minutes'

[jertel]

matches = the total matches the rule has found since the start of the timeframe

[fberrez]

So 4 matches have been found, the rule shouldn't be triggered since the flatline threshold is at 1.

[jertel]

Matches are created when the threshold has been breached.

[fberrez]

Well at the end I found another solution than using flatline rules.