We will take our existing alert and change a threshold from 0 to 1 or whatever and save it through the web interface. This is effecting one of our nodes which happens to be the one with the most alerts on it. (Around 2000 or so)
We also notice this on another node but when editing the query in the alert via the web interface.
We started with this query:
{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1458843407609,"to":1458843707611}}},{"fquery":{"query":{"query_string":{"query":"servicename
![Sad :(](./images/smilies/icon_e_sad.gif)
We changed it withing the alert to:
{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1458843407609,"to":1458843707611}}},{"fquery":{"query":{"query_string":{"query":"message
![Sad :(](./images/smilies/icon_e_sad.gif)
After clicking on the view alert button on the view alerts page it displays the incorrect filter on the dashboard. Viewing the alert after updating shows the proper query its just viewing the alert dashboard that does not display the proper filters. Do we know if the alert is running with the proper query or is the view alert not functioning properly?
Thanks.