Queries regarding functioning of elastalert2 #1504

ishukeshri2712 · 2024-07-20T21:54:49Z

ishukeshri2712
Jul 20, 2024

Hi community, I want to learn few points about
Elastalert,

Suppose we have an elastalert rule for time stamp set to 5 minutes so is it like it will query only the data in between this period to elasticsearch?
Suppose we put run_every parameter to 1 minutes so with timestamp 5 minutes then every one minute addition it will query duplicate documents in this time period
Suppose we didn’t put the timestamp field then what will happens will it query all the documents in the given index ?
What is the best run_every value we should set for a particular use case ?
What is the best buffer_time parameter we should use?
Plse help me Thanks in Advance ✌️

I'm having trouble understanding these questions. Did you read the documentation and all of the parameters related to timing?

ElastAlert 2 requires records to have a timestamp field.

run_every values depend on each user's use case. Same with buffer_time.

I recommend (re) reading the documentation because these topics are explained in that documentation.

ishukeshri2712 · 2024-07-21T10:58:21Z

@jertel plse explain

1 reply

I'm having trouble understanding these questions. Did you read the documentation and all of the parameters related to timing?

ElastAlert 2 requires records to have a timestamp field.

run_every values depend on each user's use case. Same with buffer_time.

I recommend (re) reading the documentation because these topics are explained in that documentation.

Answer selected by ishukeshri2712