Flatline - 0 hits 0 matches - No Alert received

[CaGix22]

Hi! This is my case: I need to detect when my "Uploaded" log is missing, so the best option is a flatline, right?
The logs saying "Uploaded" are every 4 hours, but in this case I want to show you a particular run: 14:20UTC in which there are no logs.

Global config:

run_every: hours: 1
buffer_time: hours: 1 (disregard because of use_count_query: true)

type: flatline
threshold: 1
limit_execution: "25 2-22/4 * * 0-5"
realert:
   hours: 3
use_count_query: true
timeframe:
   hours: 4

So, I understand that flatline rules require a minimum elapsed time before they begin alerting so the first day I usually disregard it, but well, the first two days at 14:25 the rule alerted as expected.

May 12: starttime:  May 12, 2024 @ 10:25:00.000  endtime: May 12, 2024 @ 14:25:00.000 hits:  0 matches:  4

So, 4 matches: I got an Alert on my email which was expected behavior. BUT at the next cron schedule at 18:25 I had a new email, saying that between 11:25 and 15:25 there were 3 hits and 6 matches" Ok, yes, between that timeframe there were no logs, but the 3 hits are from the next logs run... So i thought (and please correct me if I am wrong) "This may be an EA thing in which the first query run there are no hits found, meanwhile... if in he next 3 queried rule there are hits still will alert the first match... "

The following days at the same time, the query rule says the same timestamp but: 0 hits and 0 matches. No matches. No Alert. I really believe it is not the realert param, because it is configured on 3 hours. There are more than 3 hours between the alerts AND missing logs. I don't understand why I am not receiving the alert at 2:25.. and why 0 matches.

What I am missing here? The first days it worked as expected, then I only receive the "second alert" at the next run 4 hours later (which I actually don't mind it) but I expect the alert when it says 0 hits 0 matches, because IT IS A MATCH in almost the exact time in which the logs are missing.
Also: Is my cron schedule on limit_execution used properly? "As a range"?

Thanks! If there are doubts and need more info, please feel free to ask. We really want to learn to use EA properly.

[jertel]

ElastAlert 2 is intended to be run continously. It is not designed to "wake up" every once in a while, run a query, and go back to sleep.

Limit execution is intended to be used for enabling ElastAlert 2 during smaller portions of the day. That's why the range of time is required in the cron format. Your cron format of 25 2-22/4 appears to be saying "execute at 25 minutes past every 4th hour between the hours of 02 and 22. That's not using ElastAlert 2 how it was intended since it's expecting to run at specific points in time within a range. A valid cron format for ElastAlert 2 would be * 2-22 * * 1-5 which means to enable rule checking from the entire time starting at 02:00 through 22:59 on Mondays, Tuesdays, Wednesday, Thursdays, and Fridays.

Try switching to that and see if the log results start making more sense.

[CaGix22]

Thanks, Jertel, for taking the time to answer! I'll make the change and let you know how it went later.

[CaGix22]

Saddly I cannot test this right away, but I've been thinking that taking into account your cron suggestion: * 2-22 * * 1-5 I am not going to get the result I want because I still need to check that there are logs every 4 hours in the day (2:20, 6:20, 10:20....etc) If I don't have logs at 2:20 and 10:20 I am not going to be alerted until 22:59 about it. Also if at 10:20 I don't have logs either I will never notice, I will just get at 22:59 the "Between 2:00 and 3:00 there were no logs" alert mail.

I think what I need is very specific. As soon I have tested the new cron I'll let you know.