Kibana Log_Based alarms always shows hits as 0 for different total.value

book

Article ID: 222539

calendar_today

Updated On:

Products

DX Operational Intelligence

Issue/Introduction

Log_Based query which runs on different times 15, 60, 200, 300, 1000 minutes but in all result "hits" coming as 0 and total.value gets changed. We expect that hits and total.value count should be the same.

The same filter working fine in the Kibana dashboard, the issue only facing on log_based alarms page. 

 

Environment

Release : 20.2

Component : CA DOI LOG ANALYTICS

Resolution

The problem seems to be that the size is mentioned as 0 in log query but 500 in Kibana.

The total.value tells how many documents matched the search criteria. hits [] tells the returned results based on size param in search criteria. By default the value is set to 0 and can be increased till 500 (if needed). But it is recommended not set the size unless expressions in threshold or message is based on the values in hits array.

 

https://rally1.rallydev.com/slm/attachment/607079303005/image.png

 

 

 

The expectation that "hits and total.value count should be the same" is not correct as explained in above message.

Output is based on the results obtained from query execution in last interval. It is expected to change as these queries are time based. If you want to see the sample results set the size to 10.