ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Kibana Log_Based alarms always shows hits as 0 for different total.value


Article ID: 222539


Updated On:


DX Operational Intelligence


Log_Based query which runs on different times 15, 60, 200, 300, 1000 minutes but in all result "hits" coming as 0 and total.value gets changed. We expect that hits and total.value count should be the same.

The same filter working fine in the Kibana dashboard, the issue only facing on log_based alarms page. 



Release : 20.2



The problem seems to be that the size is mentioned as 0 in log query but 500 in Kibana.

The total.value tells how many documents matched the search criteria. hits [] tells the returned results based on size param in search criteria. By default the value is set to 0 and can be increased till 500 (if needed). But it is recommended not set the size unless expressions in threshold or message is based on the values in hits array.




The expectation that "hits and total.value count should be the same" is not correct as explained in above message.

Output is based on the results obtained from query execution in last interval. It is expected to change as these queries are time based. If you want to see the sample results set the size to 10.