Define timestamp offsets for incremental alerts (Optional)

Incremental alerting is based on a document’s analysis timestamp. Since there is a lag between analysis and indexing, there is the chance an alert may run after the analysis of a new batch of documents has started, but before all of these documents have been added to the index.

As a result, there’s a risk that some matching documents will be excluded from both the current alert and the alert that follows.

To prevent this, there is a timestamp offset. The default value is 900s (15 minutes), which you can change. The value needed for the offset depends on typical lag time between analysis and indexing, and the frequency of alerts.

For example, say 10 documents enter the analysis pipeline at 1:00.

This page discusses:

See Also
Changing the timestamp offset