Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spike Rule does not work properly after a restart of Elastalert #667

Open
thib12 opened this issue Jan 21, 2022 · 1 comment
Open

Spike Rule does not work properly after a restart of Elastalert #667

thib12 opened this issue Jan 21, 2022 · 1 comment
Labels
Stale

Comments

@thib12
Copy link

thib12 commented Jan 21, 2022

Suppose the following scenario:

  1. You have defined a spike rule with the following config (strongly inspired from the examples):
# (Required)
# Rule name, must be unique
name: Event spike

# (Required)
# Type of alert.
# the spike rule type compares the number of events within two sliding windows to each other
type: spike

# (Required one of _cur or _ref, spike specific)
# The minimum number of events that will trigger an alert
# For example, if there are only 2 events between 12:00 and 2:00, and 20 between 2:00 and 4:00
# _ref is 2 and _cur is 20, and the alert WILL fire because 20 is greater than threshold_cur and (_ref * spike_height)
threshold_cur: 5
#threshold_ref: 5

# (Required, spike specific)
# The size of the window used to determine average event frequency
# We use two sliding windows each of size timeframe
# To measure the 'reference' rate and the current rate
timeframe:
  hours: 2

# (Required, spike specific)
# The spike rule matches when the current window contains spike_height times more
# events than the reference window
spike_height: 3

# (Required, spike specific)
# The direction of the spike
# 'up' matches only spikes, 'down' matches only troughs
# 'both' matches both spikes and troughs
spike_type: "up"

# If true, when ElastAlert 2 starts, it will always start querying at the current time
# minus the timeframe. timeframe must exist in the rule.
scan_entire_timeframe: true
  1. Before 4 AM there were no events.
  2. Between 4 and 5.50 AM, there were 10 events.
  3. Between 5.50 AM and 6 AM, there were no events.
  4. Between 6 AM and 7:50 AM there were 29 events.
  5. Elastalert2 stops at 7.50 AM and is restarted immediately (no --start option is set).
  6. At 7.55 AM there is one more event.

At startup, Elastalert will query the whole timeframe (= 2h), from 5.50 to 7.50 AM and fill in the current window. However, the reference window will be empty. This means that an alert will not triggered at 7.55 AM...

Do you agree that such an issue might happen?

A way should be found to fill in both the reference window and the current window when Elastalert is restarted. This could be done by adapting the definition of the SpikeRule.timeframe to be equal to the half of the rule["timeframe"]
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 6 months with no activity. Stale issues convey that the issue, while important to someone, is not critical enough for the author, or other community members to work on, sponsor, or otherwise shepherd the issue through to a resolution.

@github-actions github-actions bot added the Stale label Feb 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thib12