Skip to content

Commit

Permalink
Nat's edits
Browse files Browse the repository at this point in the history
  • Loading branch information
nastasha-solomon committed May 10, 2024
1 parent 5fb8233 commit 0195f62
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions docs/detections/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ NOTE: Rules that use aggregating queries might create duplicate alerts. This can
[float]
[[esql-non-agg-query]]
===== Non-aggregating query
Non-aggregating queries doesn't use `STATS...BY` functions and doesn't aggregate source event data. Alerts generated by an {esql} rule with a non-aggregating query only contain the fields returned by the query.
Non-aggregating queries don't use `STATS...BY` functions and don't aggregate source event data. Alerts generated by an {esql} rule with a non-aggregating query only contain the fields returned by the query.

Here is an example non-aggregating query:
[source,esql]
Expand Down Expand Up @@ -367,7 +367,7 @@ FROM logs-* METADATA _id, _index, _version

When writing your query, consider the following:

- The {ref}/esql-commands.html#esql-limit[`LIMIT`] command specifies the number of rows an {esql} query returns and the number of alerts created per rule execution. Similarly, a detection rule's <<opt-fields-all,`max_signals`>> setting specifies the maximum number of alerts it can create every time it runs.
- The {ref}/esql-commands.html#esql-limit[`LIMIT`] command specifies the maximum number of rows an {esql} query returns and the maximum number of alerts created per rule execution. Similarly, a detection rule's <<opt-fields-all,`max_signals`>> setting specifies the maximum number of alerts it can create every time it runs.
+
If the `LIMIT` value is lower than the `max_signals` value, the rule uses the `LIMIT` value to determine the maximum number of alerts the rule generates. If the `LIMIT` value is higher than the `max_signals` value, the rule uses the `max_signals` value.
+
Expand All @@ -382,7 +382,7 @@ NOTE: The `max_signals` default value is 100. You can modify it using the <<rule

The {esql} rule has the following limitations:

- If your {esql} query creates new fields that aren’t part of the ECS schema, they won’t be mapped to the alerts index and you can't search or filter for them from the Alerts table. As a workaround, create <<runtime-fields,runtime fields>>.
- If your {esql} query creates new fields that aren’t part of the ECS schema, they won’t be mapped to the alerts index, and you can't search or filter for them from the Alerts table. As a workaround, create <<runtime-fields,runtime fields>>.
- If your {esql} query creates new fields that aren’t in the query’s source index, they can’t be added to the rule’s <<rule-ui-advanced-params,custom highlighted fields>>.

[float]
Expand Down

0 comments on commit 0195f62

Please sign in to comment.