How limit alerting query?

Hi, for alerts I am doing query on discover and then copy it from inspect, but there in query date is not relative but absolute. How can I do it in alerting for auto query only for like last 5 minutes or so? What I mean I want query every X minutes which check ES only for reasults from last 5 minutes, not for all records or limited by absolute date (which have no sense).

Hi @cyberzlo
You could use “Range query” to filter the result when defining the monitor, see this for detail: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html#ranges-on-dates

In your use case, the query might be: (assume timestamp is the field stores the time)

{
    "query": {
        "range" : {
            "timestamp" : {
                "gte" : "now-5m",
                "lt" :  "now"
            }
        }
    }
}

And then set the Monitor Schedule to run the monitor every X minutes.

Tianli