Rule activation not respecting limit_execution

[missaeldenadai]

Hi,

I have a rule to detect the absent of an especific term in the logs within 1 hour. However, I want this rule not to be executed during weekends and at dawn. So I configured the rule as follows (other fields ommited for brevity):

type: flatline
threshold: 1
timeframe:
  minutes: 60
limit_execution: "* 6-20 * * 1-5"

But I received dozens of this alert since 3AM (UTC-3:00):

An abnormally low number of events occurred around 2023-12-14 02:14 UTC.
Between 2023-12-14 01:14 UTC and 2023-12-14 02:14 UTC, there were less than 1 events.
@timestamp: 2023-12-14T02:14:59.594844Z

My timezone is UTC-3:00 and I'm also setting the extra config query_timezone: America/Sao_Paulo.
Am I misusing limit_execution? How can I achieve the desired behavior, i.e, alert only if the absent of events happen in the period configured in the the limit_execution?

Thank you.

[jertel]

Hello,

In general it's recommended that all servers be set to UTC time. This applies to servers running ElastAlert 2 and Elasticsearch. Is your server (OS) correctly configured to use UTC time?

The query_timezone parameter only affects the time range passed to Elasticsearch query requests. It exists for dealing with Elasticsearch data that was (typically from a mistake) ingested using a timestamp field that was not UTC. It has no effect on limit_execution.

[nsano-rururu]

Yelp/elastalert#492 (comment)