From c74e55376765c3874396bfda4f2ece8ef7a6612a Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 13:05:24 -0400 Subject: [PATCH] [8.8] Write troubleshooting docs for max alerts warning (backport #3262) (#3327) Co-authored-by: Joe Peeples Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/detections/rules-ui-monitor.asciidoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 5b1b875f3f..da85a60080 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -69,6 +69,14 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc * {kibana-ref}/task-manager-health-monitoring.html[Task Manager health monitoring] * {kibana-ref}/task-manager-troubleshooting.html[Task Manager troubleshooting] +[float] +[[troubleshoot-max-alerts]] +==== Troubleshoot maximum alerts warning + +When a rule reaches the maximum number of alerts it can generate during a single rule execution, the following warning appears on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` + +If you receive this warning, go to the rule's **Alerts** tab and check for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly scoped. To further reduce alert volume, you can also add <> or <>. + [float] [[troubleshoot-gaps]] ==== Troubleshoot gaps