Skip to content

Commit

Permalink
First draft
Browse files Browse the repository at this point in the history
  • Loading branch information
@nastasha-solomon
nastasha-solomon committed May 6, 2024
1 parent 2b8440e commit 036ee54
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions docs/detections/rules-ui-create.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -318,23 +318,23 @@ Non-aggregating queries doesn't use `STATS...BY` functions and doesn't aggregate
Here is an example non-aggregating query:
[source,esql]
-----
FROM logs-* [metadata _id, _index, _version]
FROM logs-* METADATA _id, _index, _version
| WHERE event.category == "process" AND event.id == "8a4f500d"
| LIMIT 10
-----
- This query starts by querying logs from indices that match the pattern `logs-*`. The `[metadata _id, _index, _version]` operator allows <<esql-non-agg-query-dedupe,alert deduplication>>.
- This query starts by querying logs from indices that match the pattern `logs-*`. The `METADATA _id, _index, _version` operator allows <<esql-non-agg-query-dedupe,alert deduplication>>.
- Next, the query filters events where the `event.category` is a process and the `event.id` is `8a4f500d`.
- Then, it limits the output to the top 10 results.

[float]
[[esql-non-agg-query-dedupe]]
===== Turn on alert deduplication for rules using non-aggregating queries

To deduplicate alerts, a query needs access to the `_id`, `_index`, and `_version` metadata fields of the queried source event documents. You can allow this by adding the `[metadata _id, _index, _version]` operator after the `FROM` source command, for example:
To deduplicate alerts, a query needs access to the `_id`, `_index`, and `_version` metadata fields of the queried source event documents. You can allow this by adding the `METADATA _id, _index, _version` operator after the `FROM` source command, for example:

[source,esql]
-----
FROM logs-* [metadata _id, _index, _version]
FROM logs-* METADATA _id, _index, _version
| WHERE event.category == "process" AND event.id == "8a4f500d"
| LIMIT 10
-----
Expand All @@ -347,7 +347,7 @@ Here is an example of a query that fails to deduplicate alerts. It uses the `DRO

[source,esql]
-----
FROM logs-* [metadata _id, _index, _version]
FROM logs-* METADATA _id, _index, _version
| WHERE event.category == "process" AND event.id == "8a4f500d"
| DROP _id
| LIMIT 10
Expand All @@ -357,7 +357,7 @@ Here is another example of an invalid query that uses the `KEEP` command to only

[source,esql]
-----
FROM logs-* [metadata _id, _index, _version]
FROM logs-* METADATA _id, _index, _version
| WHERE event.category == "process" AND event.id == "8a4f500d"
| KEEP event.*
| LIMIT 10
Expand Down

0 comments on commit 036ee54

Please sign in to comment.