alerts-timeslice

How does a timeslice affect a monitor?

Monitor query output is matched with the configured threshold during its evaluation. If it matches, the alert triggers. If there are multiple rows in the search query output because of timeslice or any other reason (such as a group by operator), it would match each row with the monitor threshold and if it matches for any row, it would trigger the alert.

So if the query is _sourceCategory=abc | timeslice 1m | count by _timeslice, the timeRange is 15m, and there are 15 rows in the query output, it would trigger the alert if _count for any row matches the threshold and resolve when none of the rows match the alert threshold (and all match resolution threshold).