Spike Rule does not work properly after a restart of Elastalert

[thib12]

Suppose the following scenario:

1. You have defined a spike rule with the following config (strongly inspired from the examples):

# (Required)
# Rule name, must be unique
name: Event spike

# (Required)
# Type of alert.
# the spike rule type compares the number of events within two sliding windows to each other
type: spike

# (Required one of _cur or _ref, spike specific)
# The minimum number of events that will trigger an alert
# For example, if there are only 2 events between 12:00 and 2:00, and 20 between 2:00 and 4:00
# _ref is 2 and _cur is 20, and the alert WILL fire because 20 is greater than threshold_cur and (_ref * spike_height)
threshold_cur: 5
#threshold_ref: 5

# (Required, spike specific)
# The size of the window used to determine average event frequency
# We use two sliding windows each of size timeframe
# To measure the 'reference' rate and the current rate
timeframe:
  hours: 2

# (Required, spike specific)
# The spike rule matches when the current window contains spike_height times more
# events than the reference window
spike_height: 3

# (Required, spike specific)
# The direction of the spike
# 'up' matches only spikes, 'down' matches only troughs
# 'both' matches both spikes and troughs
spike_type: "up"

# If true, when ElastAlert 2 starts, it will always start querying at the current time
# minus the timeframe. timeframe must exist in the rule.
scan_entire_timeframe: true

2. Before 4 AM there were no events.
3. Between 4 and 5.50 AM, there were 10 events.
4. Between 5.50 AM and 6 AM, there were no events.
5. Between 6 AM and 7:50 AM there were 29 events.
6. Elastalert2 stops at 7.50 AM and is restarted immediately (no --start option is set).
7. At 7.55 AM there is one more event.

At startup, Elastalert will query the whole timeframe (= 2h), from 5.50 to 7.50 AM and fill in the current window. However, the reference window will be empty. This means that an alert will not triggered at 7.55 AM...

Do you agree that such an issue might happen?

A way should be found to fill in both the reference window and the current window when Elastalert is restarted. This could be done by adapting the definition of the SpikeRule.timeframe to be equal to the half of the rule["timeframe"]

[github-actions[bot]]

This issue is stale because it has been open for 6 months with no activity. Stale issues convey that the issue, while important to someone, is not critical enough for the author, or other community members to work on, sponsor, or otherwise shepherd the issue through to a resolution.