Elastalert scan all the documents in new timeframe? #1502
Answered
by
jertel
ishukeshri2712
asked this question in
Q&A
-
|
@jertel I have another doubt suppose we have an elastalert rule which query over all documents and we have put timestamp of last 5 minutes then it will query fresh documents which are pushed to elasticsearch ? |
Beta Was this translation helpful? Give feedback.
Answered by
jertel
Jul 18, 2024
Replies: 1 comment
-
|
Are you asking if ElastAlert 2 will find a backdated log that was ingested with a timestamp value earlier than the last ElastAlert 2 query? If so then that depends on the rule configuration. I suggest looking at elastalert.py::set_starttime() to see all nuances involved. |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
jertel
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Are you asking if ElastAlert 2 will find a backdated log that was ingested with a timestamp value earlier than the last ElastAlert 2 query? If so then that depends on the rule configuration. I suggest looking at elastalert.py::set_starttime() to see all nuances involved.