Cardinality rule alert triggering randomly unsure why

[Feathz]

What I want to write is an alert that fires when the number/cardinality unique ids(unique algo_keys) from documents for the last 2 minutes is below 3. I want the alert to say the number/cardinality of unique ids(unique algo_keys) it found within the 2 minutes timeframe. Currently I'm running with this :

algo_heartbeats_stopped.yaml

name: algo heartbeats stopped
type: cardinality
index: algo-heartbeats
cardinality_field: algo_key
min_cardinality: 3
alert_text_type: alert_text_only
alert_text: "Only {0} heartbeats found on "
alert_text_args:
  - cardinality_count
doc_type: _doc
forget_keys: true
timeframe:
    minutes: 2
realert:
    minutes: 5
slack_msg_color: danger
alert:
- "slack"
match_enhancements:
  - "elastalert_modules.better_cardinality.GetUniqueCardinalityCount"
slack_webhook_url: "| my-webhook |" 

better_cardinality.py

from elastalert.enhancements import BaseEnhancement

class GetUniqueCardinalityCount(BaseEnhancement):
    def process(self, match):
          match["cardinality_count"] = len(self.rule["type"].cardinality_cache["all"])

This code however seems to trigger in situations were it should not.
I have had it trigger when the cardinality_count is 3. I have also had it trigger when the number of unique ids/unique algo_keysin the last 2 minutes were 3 and said cardinality_count is 0. I'm unsure of what I have done wrong with this rule. Any help would be much appreciated

[jertel]

We would have to analyze the specific matching records in one of those example timeframes where it triggered the alert but your enhancement counted sufficient numbers of unique algo_keys. It might help if you dump the contents of cardinality_cache in your enhancement, and compare those values to the records found in ES for that timeframe that triggered the rule. Keep in mind that if your run_every setting is shorter than your timeframe then the loop that triggers the alert will also be looking at cardinatlity_cache records from previous loops.