These are chat archives for Yelp/elastalert

7th
Mar 2018
jeang31
@jeang31
Mar 07 10:54
Hello guys, I got an issue : with a BlackList rule , I have a buffer_time set to 20 minutes and the run_every is 5 minutes in the config.yml.
My problem is, the rule starts every 5 minutes and the window time (20 minutes) overlaps a previous run of the rule
Is it expected ? I have allow_buffer_time_overlap: False and use_run_every_query_size: False
thanks :)
Quentin Long
@Qmando
Mar 07 22:58
@jeang31 allow_buffer_time_overlap only applies to metric aggregation type rule
same with run_every_query_size
It is expected that queries overlap. That is normal. When it prints "(X already seen)" that's because of the overlapping queries
They will not be counted twice
@royrusso Go for it
@hugoalmeida4_twitter Why not
type: flatline
timeframe:
  minutes: 5
filter:
- term:
    monitor.status: "up"
- term:
    monitor.name: "HTTP-VM-ES"
threshold: 1
Quentin Long
@Qmando
Mar 07 23:03
@RobertoFlores Did you add a --end parameter? I'm guessing not, that would be too easy. I can't think of why elastalert would stop without an exception message.
@gatsya_twitter "timeframe" is an internal store and "buffer_time" refers to the exact time range on a query to elasticsearch. If timeframe is longer, it will remember the data from multiple queries.
You generally don't need to worry about buffer_time AT ALL unless you are experiencing slowness or memory issues or have some special time requirements