I have Loki alert rules that should alert on the occurrence of certain even found in logs.
What should be the lookback time range in the alert configuration to ensure no instances of log events are missed.
For example, if the alert rule is configured to be evaluated every 1m, should the lookback time range also be 1m or greater than 1m to account for delays in execution? Let’s say the rule is configured to be evaluated every 60s but in actually it executed 61s after the prior execution, I’m assuming that it would miss a log event for evaluation that happened 60.5 seconds ago if the lookback time range is 60s.
Is that assumption correct and if so, how to best decide the ideal lookback time range to ensure no log events are missed from evaluation?
