limit_execution_coverage param behavior

[CaGix22]

Hi! So Jertel gave us valuable info about the limit_execution_coverage parameter here.
We have a new doubt about if using a range cron schedule in limit_execution is suitable when using limit_execution_coverage: true.

We need to detect logs at: 14:25:11UTC (And from that, every 4 hours logs)
Our global config:
run_every: 1 hour

Our rule config:

type: flatline
limit_execution: "25-45 2/4 * * 0-5"
limit_execution_coverage: true
run_every: 30 min
use_count_query: true (so buffer_time is ignored)
timeframe: 30 minutes

We noticed in the logs that EA makes a tiny query at the beggining of the cron and then it splits.

INFO:elastalert:Queried rule TestRule from 2024-05-07 14:25 UTC to 2024-05-07 14:25 UTC: 0 hits
INFO:elastalert:Ran TestRule from 2024-05-07 14:25 UTC to 2024-05-07 14:25 UTC: 0 query hits (0 already seen), 2 matches, 1 alerts sent
INFO:elastalert:Queried rule TestRule from 2024-05-07 14:25 UTC to 2024-05-07 14:45 UTC: 1 hits
INFO:elastalert:Ran TestRule from 2024-05-07 14:25 UTC to 2024-05-07 14:45 UTC: 1 query hits (0 already seen), 0 matches, 0 alerts sent
INFO:elastalert:Pausing TestRule until next run at 2024-05-07 18:25 UTC

The problem is that the tiny execution from 14:25:00 to 14:25:00 is a match, because it doesn't find the 14:25:11 logs (by 11 seconds). Could someone explain why or how can we get rid of that execution or any idea? We already tried: "25,45 2/4 * * 0-5" (same behavior) , "25 2/4 * * 0-5" (starts Pausing forever and never executes). Please take in consideration that limit_execution_coverage MUST remain true.

Thanks for the help!!!

[nsano-rururu]

Yelp/elastalert#3177

[nsano-rururu]

Yelp/elastalert#2119

[CaGix22]

Oh, I only checked on discussions for ElastAlert2. Thanks @nsano-rururu for the info! Yes, I have the same scenario as @MarcelRoth and also checked the code to try to understand it "better". I've been tweaking different params and crons to get what I need, yet no success.

P/D: Glad to know I'm not the only one searching for the same functionality haha.

[nsano-rururu]

information

Extension to send alerts only within a specific time range
https://github.com/0xSeb/elastalert_hour_range

[CaGix22]

Thanks @nsano-rururu! I saw that enhancement a time ago, I just wanted to find an alternative to it. limit_execution_coverage seemed to be the key parameter that I needed to not be alerted on weekends (as my cron was from Mon to Fri), but that short query of seconds for EA is a match and that's not the scenario I need. I think I've tried all the possible combinations without luck. I might try the extension later tho!