From ac4912ddc11ae38e78198b7ba2a9fd48b77d0101 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sat, 13 May 2023 01:04:18 -0400 Subject: [PATCH 1/8] First draft --- docs/detections/rules-ui-monitor.asciidoc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 5b1b875f3f..3987afdeaf 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -69,6 +69,12 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc * {kibana-ref}/task-manager-health-monitoring.html[Task Manager health monitoring] * {kibana-ref}/task-manager-troubleshooting.html[Task Manager troubleshooting] +[float] +[[troubleshoot-max-alerts]] +==== Troubleshoot max alerts warning + +If a rule reaches or exceeds the maximum number of alerts it can generate in a single rule execution, a warning is displayed. The warning appears on the rule's details page and in the rule execution log. When a rule's max alert limit is reached, some alerts might not get created so it's important that you investigate what could have caused the rule hit its limit. + [float] [[troubleshoot-gaps]] ==== Troubleshoot gaps From 19d1d251133edd69753fe8446f5c1789ef0244c6 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 14 May 2023 19:10:22 -0400 Subject: [PATCH 2/8] Minor revisions --- docs/detections/rules-ui-monitor.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 3987afdeaf..95103385ae 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -73,7 +73,9 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc [[troubleshoot-max-alerts]] ==== Troubleshoot max alerts warning -If a rule reaches or exceeds the maximum number of alerts it can generate in a single rule execution, a warning is displayed. The warning appears on the rule's details page and in the rule execution log. When a rule's max alert limit is reached, some alerts might not get created so it's important that you investigate what could have caused the rule hit its limit. +When a rule reaches the maximum number of alerts it can generate in a single rule execution, the following warning is displayed on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` + +To respond to this warning message, we recommend that you check the alerts and determine whether they should've been created. If any were wrongfully created, start investigating what caused the excess alerts. For example, check the rule's data source for possible issues or modify the rule's query if it's too broad in scope. [float] [[troubleshoot-gaps]] From 85c80d7b4ca8bd2213c6d7575df9fb229b3afdbc Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 14 May 2023 19:12:38 -0400 Subject: [PATCH 3/8] Revised suggestion --- docs/detections/rules-ui-monitor.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 95103385ae..5684a0cb44 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -75,7 +75,7 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc When a rule reaches the maximum number of alerts it can generate in a single rule execution, the following warning is displayed on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` -To respond to this warning message, we recommend that you check the alerts and determine whether they should've been created. If any were wrongfully created, start investigating what caused the excess alerts. For example, check the rule's data source for possible issues or modify the rule's query if it's too broad in scope. +If you receive this warning, check the alerts and determine whether they should've been created. If any were wrongfully created, start investigating what caused the excess alerts. For example, check the rule's data source for possible issues or modify the rule's query if it's too broad in scope. [float] [[troubleshoot-gaps]] From 449dd3ccaeeffd1659c8a12d983a0bb481fb82b5 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 18 May 2023 10:16:46 -0400 Subject: [PATCH 4/8] Update docs/detections/rules-ui-monitor.asciidoc --- docs/detections/rules-ui-monitor.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 5684a0cb44..1c46ac9405 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -75,7 +75,7 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc When a rule reaches the maximum number of alerts it can generate in a single rule execution, the following warning is displayed on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` -If you receive this warning, check the alerts and determine whether they should've been created. If any were wrongfully created, start investigating what caused the excess alerts. For example, check the rule's data source for possible issues or modify the rule's query if it's too broad in scope. +If you receive this warning, go to the rule's **Alerts** tab and examine the alerts for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly-scoped. To further reduce alert volume, you can also add <> or <>. [float] [[troubleshoot-gaps]] From d6dbe9698b9b9c40ea5e119f572038f627fe92cd Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Sat, 20 May 2023 15:21:50 -0400 Subject: [PATCH 5/8] Update docs/detections/rules-ui-monitor.asciidoc Co-authored-by: Joe Peeples --- docs/detections/rules-ui-monitor.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 1c46ac9405..2504dc09f1 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -71,7 +71,7 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc [float] [[troubleshoot-max-alerts]] -==== Troubleshoot max alerts warning +==== Troubleshoot maximum alerts warning When a rule reaches the maximum number of alerts it can generate in a single rule execution, the following warning is displayed on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` From b039816f96155310472cce8fa22fc5039bb5430d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Sat, 20 May 2023 15:21:57 -0400 Subject: [PATCH 6/8] Update docs/detections/rules-ui-monitor.asciidoc Co-authored-by: Joe Peeples --- docs/detections/rules-ui-monitor.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 2504dc09f1..ae255a7058 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -75,7 +75,7 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc When a rule reaches the maximum number of alerts it can generate in a single rule execution, the following warning is displayed on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` -If you receive this warning, go to the rule's **Alerts** tab and examine the alerts for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly-scoped. To further reduce alert volume, you can also add <> or <>. +If you receive this warning, go to the rule's **Alerts** tab and examine the alerts for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly scoped. To further reduce alert volume, you can also add <> or <>. [float] [[troubleshoot-gaps]] From 42d8080b5c34a848fc3c7ff7c05f80514a2fe93d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Sat, 20 May 2023 15:22:11 -0400 Subject: [PATCH 7/8] Update docs/detections/rules-ui-monitor.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/detections/rules-ui-monitor.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index ae255a7058..c1f342a7dd 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -73,7 +73,7 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc [[troubleshoot-max-alerts]] ==== Troubleshoot maximum alerts warning -When a rule reaches the maximum number of alerts it can generate in a single rule execution, the following warning is displayed on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` +When a rule reaches the maximum number of alerts it can generate during a single rule execution, the following warning appears on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` If you receive this warning, go to the rule's **Alerts** tab and examine the alerts for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly scoped. To further reduce alert volume, you can also add <> or <>. From ffd6c0edcee1e22e8da20824c25c08df3def635f Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Sat, 20 May 2023 15:24:10 -0400 Subject: [PATCH 8/8] Update docs/detections/rules-ui-monitor.asciidoc --- docs/detections/rules-ui-monitor.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index c1f342a7dd..da85a60080 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -75,7 +75,7 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc When a rule reaches the maximum number of alerts it can generate during a single rule execution, the following warning appears on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` -If you receive this warning, go to the rule's **Alerts** tab and examine the alerts for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly scoped. To further reduce alert volume, you can also add <> or <>. +If you receive this warning, go to the rule's **Alerts** tab and check for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly scoped. To further reduce alert volume, you can also add <> or <>. [float] [[troubleshoot-gaps]]