Run rule once a day with time window from that day

[aizerin]

I'm trying to set up a rule which will run only once a day. But I'm struggling with time window settings. I have following alert:

---
name: Errors alerts
type: frequency
num_events: 1
timeframe:
  hours: 24
use_count_query: true
doc_type: "_doc"
limit_execution: "0-5 0 * * *"
index: some-error*
filter: []
alert:
  - "debug"

Which suppose to generate a report of num_hits in a single day. But there is a problem with timeframe settings. Currently, it will only take events at the time of execution, not for the whole day. And I'm not able to find what exactly timeframe means.

Is it possible to make it somehow with different settings?

[jertel]

Did you allow the rule to run for an entire day (24h+) before posting this? If so, what are the actual results? Logs are useful when requesting support (See #11).

Perhaps the scan_entire_timeframe config value will help.

[aizerin]

Thanks, I completely missed the scan_entire_timeframe option. Together with realert I'm able to make it. It is more like report than alert, but it does the job.

[Siddhi268]

Can u plz share rule.yaml file for the above case u resolved , as i am stuck in same scenerio.