Without an offset
-
An alert runs at 1:05. It looks for all matching documents in the index with an analysis timestamp between “now” (1:05) and the previous alert.
However, at this time only 4 of the 10 documents from the 1 pm analysis have been saved to the index, so only these 4 documents are included in the alert notification.
-
The next time the alert runs at 2:05, it looks for all matching documents in the index with an analysis timestamp that falls between 2:05 and the previous alert from 1:05.
-
Even though the 6 remaining documents from the 1:00 analysis are now saved to the index, since their analysis timestamp (1:00) precedes the previous alert (1:05), they are excluded from the 2:05 alert notification.