Formular to calculate first alert rule search time range

Question

Is there a formula by which the first search timerange (from to) of a newly created alert rule could be calculated?

For example, if I create a new alert rule with 24 hours time range NOW (e.g. at 10:00 AM), the first search will run between yesterday 6:00 AM and today 5:00 AM. Naively, I would have expected the search to run from yesterday 10 AM to today 10 AM.

If I create an alert rule that has e.g. 5 minutes search time range, then the first search runs about 25 minutes to 20 minutes before the alert rule is activated.
So the search time range of the alert rule search varies depending on the alert rule time range.

Since I am developing an alert rule test environment that activates alert rules and ingests pre-made logs, it would be significant to set the timestamps in these pre-made logs so that they occur in the timerange in the first search run of the alert rule.

So the question is, if there is a formula for this, with which I can determine the time period in advance, in which the alert rule search will run.

Page 1 / 1

@Abhinit Karna , perhaps you could pitch in on this one? :)

I found the solution myself by decompiling some of the premerger and config generation code.

Reply

markus.nebel@8com.de · Accepted Answer

I found the solution myself by decompiling some of the premerger and config generation code.

Anonymous · Answer

@Abhinit Karna, perhaps you could pitch in on this one? :)

Reply

Sign up

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Login to the community

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Scanning file for viruses.

This file cannot be downloaded