num hits not match logs of top_count_keys

[YTS85205107]

this is my elastalert rule below:

name: "nginx log"
type: frequency
index: nginx-*
num_events: 50
timeframe:
  minutes: 1
realert:
  minutes: 1

top_count_keys: ["request_url", "request_path", "backend_name"]
top_count_number: 5
attach_related: false

query_timezone: "Asia/Taipei"

use_local_time: true

filter:
  - range:
      http_status_code:
        from: 500
        to: 599

alert:
  - "slack"

slack:
slack_webhook_url: "https://hooks.slack.com/services/xxx"
slack_channel_override: "#alert"

alert_text_type: exclude_fields
alert_text_args: ["num_hits"]
alert_text: |
  log count: {0}

when I receive the elastalert from slack, it shows

nginx log
log count: 77
At least 50 events occurred between 2024-06-05 03:19 -04 and 2024-06-05 03:20 -04
request_url.keyword:
www.aaa.com: 62
www.bbb.com: 30
www.ccc.com: 2
www.ddd.com: 2
www.eee.com: 1
request_path.keyword:
/test: 67
/: 24
/LoginCheck: 3
/abc: 2
/html: 1
backend_name.keyword:
nginx1: 64
nginx2: 24
nginx3: 6
nginx4: 2
nginx5: 1

why does checking the elastalert log show query 77 hits , and checking the ELK log 3:19 ~ 3:20 also shows 77 logs, but the request_url, request_path, and backend_name of top_count_keys all have 97 logs ?

thanks all.

[jertel]

It's uses the matched record's timestamp, timestampX, and counts all rule hits that fall in the following time range:

Range Start: timestampX - timeframe (1 minute in your example)
Range Stop: timestampX + 10 minutes (hardcoded, in case there were logs mis timestamped from the future)

So most likely a previous rule run, such as from the 3:18 to 3:19 query, had also found some hits, but not enough to trigger the alert. Then the next rule run found 77 hits, and so the top_count calculation included some hits from the previous minute.