Skip to content

Commit

Permalink
[BUG] Mention limited preview options for Threshold and Event Correla…
Browse files Browse the repository at this point in the history
…tion rules (backport #3683) (#3714)

Co-authored-by: natasha-moore-elastic <[email protected]>
Co-authored-by: Nastasha Solomon <[email protected]>
Co-authored-by: nastasha.solomon <[email protected]>
  • Loading branch information
4 people authored Aug 11, 2023
1 parent dd4d129 commit ec5634e
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions docs/detections/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,19 @@ NOTE: To preview rules, you need the `read` privilege for the `.preview.alerts-s
To preview a rule:

. Write the rule query.
+
. Select a timeframe of data to preview query results -- *Last hour*, *Last day*, or *Last month* -- from the *Quick query preview* drop-down.
+
[NOTE]
=====
Some rules have timeframe limitations:
- *Threshold rules*: You can only preview query results from the last hour.
- *Event correlation rules*: You can only preview query results from the last hour and the last day.
=====

. Click *Preview results*. A histogram shows the number of alerts you can expect based on the defined rule parameters and historical events in your indices.

A "noise warning" is displayed if the preview generates more than one alert per hour.

[role="screenshot"]
image::images/preview-rule.png[]

Expand Down

0 comments on commit ec5634e

Please sign in to comment.