Log Management
Alerting
Rule types
Spike

Spike rule type

The spike rule compares two equal timeframe windows so you catch sudden surges or drops versus the prior period.

Details for each key are in Options; Full working example ties type: spike into a full ElastAlert 2 rule.

The rule stays quiet until roughly two full timeframes have passed so a baseline exists, unless alert_on_new_data applies with query_key.

Options

Fields every rule needs

Regardless of type, each ElastAlert 2 rule must include:

  • name — unique identifier for the rule.
  • index — OpenSearch index pattern (for example *-* for stack logs).
  • type — the rule type; it must match this page.
  • filter — at least one filter clause so ElastAlert knows which documents to evaluate.
  • alert — one or more notification types (for example email, slack) and their configuration.

Common optional keys such as buffer_time, run_every, realert, is_enabled, and Discover link fields apply to every type; see the Full Reference. For the Logit.io editor workflow, see Create a rule.

The Required for this type and Optional subsections below list only the keys specific to type: spike. Global options—buffer_time, run_every, realert, is_enabled, Discover links, and the rest of the YAML surface—are in the Full Reference. For notification wording and destinations, see Subject & body, Context & links, and Destinations.

Required for this type

  • spike_height — multiplier between windows.
  • spike_typeup, down, or both.
  • timeframe — size of each window.
  • Often threshold_cur and/or threshold_ref — minimum counts so small noise does not alert.

Optional

  • query_key, alert_on_new_data, use_count_query, use_terms_query, terms_size, field_value, threshold_cur, threshold_ref.

Full working example

name: Traffic spike example
type: spike
index: "*-*"
timeframe:
  hours: 1
spike_height: 3
spike_type: up
threshold_cur: 100
filter:
  - query:
      query_string:
        query: "event.dataset:nginx.access"
use_count_query: true
doc_type: _doc
alert:
  - "email"
email:
  - "[email protected]"

Real-world example: sudden nginx traffic spike to Slack

Marketing campaigns or attacks can multiply request volume. Alert when the current hour is several times higher than the previous hour, with a floor so noise stays low.

name: Nginx access traffic spike
type: spike
index: "*-*"
timeframe:
  hours: 1
spike_height: 4
spike_type: up
threshold_cur: 5000
threshold_ref: 1000
filter:
  - query:
      query_string:
        query: "event.dataset:nginx.access"
use_count_query: true
doc_type: _doc
alert_text_type: alert_text_only
alert_text: "Spike: current window {0} vs reference {1}"
alert_text_args:
  - spike_count
  - reference_count
alert:
  - "slack"
slack_webhook_url: "https://hooks.slack.com/services/XXX/YYY/ZZZ"

See Slack.

FrequencyFlatline