Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add buffer_time field in rule creation #685

Open
giedriusramas opened this issue Jan 15, 2025 · 6 comments
Open

add buffer_time field in rule creation #685

giedriusramas opened this issue Jan 15, 2025 · 6 comments
Assignees
@nsano-rururu
Labels
1.8.20 1.8.21 2.0.0 enhancement New feature or request
Milestone
1.8.21

Comments

@giedriusramas
Copy link
Contributor

giedriusramas commented Jan 15, 2025
edited
Loading

💪 Motivation

Add buffer_time field to be editable in rule creation . For example when a add rule for count aggregation is added it is good to have buffer_time editable so we could override default from config.yaml

📖 Reference (optional)

https://elastalert.readthedocs.io/en/latest/running_elastalert.html#creating-a-rule
@giedriusramas giedriusramas added the enhancement New feature or request label Jan 15, 2025
@nsano-rururu
Copy link
Collaborator

If use_count_query or use_terms_query is true, buffter_time is ignored, so it may be necessary to make it unsettable or not output to yaml.

@giedriusramas
Copy link
Contributor Author

Hey @nsano-rururu thanks for your reply

For example I have rule

alert:
  - "debug"
description: "My custom rule."
filter:
  - query:
      query_string:
        query: "destination.ip:*"
import: "../BaseRule.config"
index: "index-*"
is_enabled: true
match_enhancements: []
max_threshold: 1500000000
metric_agg_key: "destination.bytes"
metric_agg_type: "sum"
name: "my-rule"
query_key:
  - "source.ip"
  - "destination.ip"
realert:
  hours: 8
timestamp_field: "@timestamp"
timestamp_type: "iso"
type: "metric_aggregation"
use_strftime_index: false
buffer_time:
        hours: 8

How could I set buffer_time from praeco gui ?

@nsano-rururu
Copy link
Collaborator

@giedriusramas

Currently it is not possible to set buffer_time from the screen.
Would it be OK if we could make it configurable for now?
If so, we will address this in the next version.

@giedriusramas
Copy link
Contributor Author

@nsano-rururu sure it would be nice to have it configurable, thanks in advance

@nsano-rururu
Copy link
Collaborator

@giedriusramas

The next release is scheduled for the end of March. Linenotify will be discontinued, so we will delete the Linenotify settings. We will add them at the same time as the release.

@nsano-rururu nsano-rururu self-assigned this Jan 29, 2025
@nsano-rururu nsano-rururu added this to the 1.8.21 milestone Jan 29, 2025
@nsano-rururu
Copy link
Collaborator

@giedriusramas

As I am also a co-maintainer of elastalert2, I will also be deleting the alert notifications from elastalert2 to Linenotify.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nsano-rururu nsano-rururu

Labels
1.8.20 1.8.21 2.0.0 enhancement New feature or request
Projects
None yet
Milestone
1.8.21
Development

No branches or pull requests
2 participants
@giedriusramas @nsano-rururu