[DOCS] Add information on KQL filtering in APM rules (#170257)

Closes elastic/observability-docs#3160 ## Summary Adds information on KQL filtering in APM rules. ### Checklist - [x] @colleenmcginnis initial draft - [x] @benakansara review * In what version was this initially added? 8.10.0? - [ ] @colleenmcginnis address feedback, merge
elastic · Nov 2, 2023 · e5bb85b · e5bb85b
1 parent f1fa4b0
commit e5bb85b
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/docs/apm/apm-alerts.asciidoc b/docs/apm/apm-alerts.asciidoc
@@ -103,6 +103,22 @@ Based on the criteria above, define the following rule details:
 * **Group alerts by** - `service.name` `service.environment`
 * **Check every** - `1 minute`
 
+[NOTE]
+====
+Alternatively, you can use a KQL filter to limit the scope of the alert:
+
+. Toggle on *Use KQL Filter*.
+. Add a filter, for example to achieve the same effect as the example above:
++
+[source,txt]
+------
+service.name:"{your_service.name}" and service.environment:"{your_service.environment}" and error.grouping_key:"{your_error.ID}"
+------
+
+Using a KQL Filter to limit the scope is available for _Latency threshold_, _Failed transaction rate threshold_, and
+_Error count threshold_ rules.
+====
+
 Select the **Email** connector and click **Create a connector**.
 Fill out the required details: sender, host, port, etc., and click **save**.
 

diff --git a/docs/apm/images/apm-alert.png b/docs/apm/images/apm-alert.png