What time period do rules look over when they are ran (automatically)? Is that defined by the look-back time we set?
If that's the case, I've come across some odd behavior from a custom threshold rule (grouped by 3 occurrences on the same host.name
) where I've set the look-back time to 1 second (for testing purposes). Yet when I run a preview, these events trigger an alert despite spanning a 4 second period:
Feb 5, 2025 @ 10:16:10.306
Feb 5, 2025 @ 10:16:08.209
Feb 5, 2025 @ 10:16:06.091
I must be misunderstanding the time period that rules look over and how it is defined, could someone clarify this issue?
1 post - 1 participant