A Frequency alert matches when there are at least a certain number of events num_events in a given timeframe timeframe.
This would allow you to receive alerts in scenarios such as if there are 100 or more events num_events matching the specified filter query and the events all happen within a 3-hour window timeframe you would receive an alert to your configured channel. Here is an example below:
name: "Frequency alert example"
type: frequency
index: "*-*"
timeframe:
hours: 3
num_events: 100
filter:
- query:
query_string:
query: "router.status: [500 TO 599]"
realert:
minutes: 10
exponential_realert:
hours: 8
alert:
- "email"
email:
- "example@logit.io"Additional Options
In addition, you can also provide a realert to ignore repeating alerts for the defined period of time. You can also provide an exponential_realert value and this will exponentially increase the value realert while alerts continue to fire.
What's next?
Read Logit's introduction to alerting
Learn how to ensure my ElastAlert rule is configured correctly
Learn more about ElastAlert rules: if you'd like to learn more about ElastAlert rules from the people that built it, check out their cheat sheet.