-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --hours-back CLI option for edr monitor #1548
Comments
Hi @miktros |
By splitting data into 1-hour time buckets in volume.anomalies tests, we were hoping to be able to run |
So I'm not sure this behavior really works, because when the failed test happened in the last hour an alert will be fired, even if the failed metric isn't from the last hour, because you have a detection period of 1 day - so every failure in the past 1 day will fail the test, and if it happens in the hour prior to running A different workaround I can suggest is to use the alert_suppression_interval flag in your CLI - setting it to 24 for example will only alert on the same issue once every 24 hours, preventing you from getting duplicate alerts on the same issue. Does this help? If not- |
Is your feature request related to a problem? Please describe.
Documentation for
volume_anomalies
listshour
as an option for configuringdetection_period
. However, configuringdetection_period
usinghour
results in compilation error:Missing mandatory configuration: ['backfill_days']
Describe the solution you'd like
Elementary tests like
volume_anomalies
test allow configuringtime_bucket
by the hour. I would like to be able to configure thedetection_period
using thehour
option so that I can arrange for test runs such that anomaly alerts are emitted based on test failures of comparing the row count of the most recent hourly time bucket ofdetection_period
against row count of time buckets for the lasttraining_period
days.Describe alternatives you've considered
Introduce a new CLI option
--hours-back
foredr monitor
to optionally set a number-of-hours limit to how far back shouldedr monitor
look for pending alerts. If provided, it overrides--days-back
.I have a POC implementation that seems to work. PR to add optional
--hours-back
foredr monitor
here.Additional context
None.
Would you be willing to contribute this feature?
I am open to contributing to this feature and would appreciate any guidance you can provide.
The text was updated successfully, but these errors were encountered: