Clarifies note in new terms rule (#3943) (#3955)

* Clarifies note in new terms rule * Update docs/detections/rules-ui-create.asciidoc Co-authored-by: Joe Peeples <[email protected]> --------- Co-authored-by: Joe Peeples <[email protected]> (cherry picked from commit d31c606) Co-authored-by: natasha-moore-elastic <[email protected]>
elastic · Sep 14, 2023 · 625fc9d · 625fc9d
1 parent ccd6ffc
commit 625fc9d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -302,7 +302,7 @@ NOTE: You can use {kib} saved queries (image:images/saved-query-menu.png[Saved q
 +
 .. Use the *Fields* menu to select a field to check for new terms. You can also select up to three fields to detect a combination of new terms (for example, a `host.ip` and `host.id` that have never been observed together before).
 +
-IMPORTANT: When checking multiple fields, full results can be produced only for documents with no more than 100 unique combinations of values in these fields. If you expect your data to produce more than 100 unique new terms combinations per document, consider checking other fields to narrow down the search.
+IMPORTANT: When checking multiple fields, each unique combination of values from those fields is evaluated separately. For example, a document with `host.name: ["host-1", "host-2", "host-3"]` and `user.name: ["user-1", "user-2", "user-3"]` has 9 (3x3) unique combinations of `host.name` and `user.name`. A document with 11 values in `host.name` and 10 values in `user.name` has 110 (11x10) unique combinations. The new terms rule only evaluates 100 unique combinations per document, so selecting fields with large arrays of values might cause incorrect results.
 .. Use the *History Window Size* menu to specify the time range to search in minutes, hours, or days to determine if a term is new. The history window size must be larger than the rule interval plus additional look-back time, because the rule will look for terms where the only time(s) the term appears within the history window is _also_ within the rule interval and additional look-back time.
 +
 For example, if a rule has an interval of 5 minutes, no additional look-back time, and a history window size of 7 days, a term will be considered new only if the time it appears within the last 7 days is also within the last 5 minutes. Configure the rule interval and additional look-back time when you <<rule-schedule, set the rule's schedule>>.