From ec5634e13a3fd629d81e2deec8e0798d3b24344c Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Fri, 11 Aug 2023 16:29:33 -0400 Subject: [PATCH] [BUG] Mention limited preview options for Threshold and Event Correlation rules (backport #3683) (#3714) Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha.solomon --- docs/detections/rules-ui-create.asciidoc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 9c312b4053..f8849094a0 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -261,13 +261,19 @@ NOTE: To preview rules, you need the `read` privilege for the `.preview.alerts-s To preview a rule: . Write the rule query. -+ . Select a timeframe of data to preview query results -- *Last hour*, *Last day*, or *Last month* -- from the *Quick query preview* drop-down. + +[NOTE] +===== +Some rules have timeframe limitations: + +- *Threshold rules*: You can only preview query results from the last hour. +- *Event correlation rules*: You can only preview query results from the last hour and the last day. +===== + . Click *Preview results*. A histogram shows the number of alerts you can expect based on the defined rule parameters and historical events in your indices. A "noise warning" is displayed if the preview generates more than one alert per hour. - [role="screenshot"] image::images/preview-rule.png[]