github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Alerting][Docs] Add de-duplication example to ES query docs + update email docs wording (#111026)

Browse source 
* Change to allowlist

* Adding example to es query rule

* Apply suggestions from code review

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
This commit is contained in:
ymao1 2021-09-03 18:48:45 -04:00 committed by GitHub
parent 7c4e4f507b
commit 9132b43128
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/management/connectors/action-types/email.asciidoc
View file

@ -107,7 +107,7 @@ For other email servers, you can check the list of well-known services that Node
[[elasticcloud]]
==== Sending email from Elastic Cloud
IMPORTANT: These instructions require you to link:{cloud}/ec-watcher.html#ec-watcher-whitelist[whitelist] the email addresses that notifications get sent first.
IMPORTANT: These instructions require you to link:{cloud}/ec-watcher.html#ec-watcher-whitelist[allowlist] the email addresses that notifications get sent.
Use the following connector settings to send email from Elastic Cloud:

30
docs/user/alerting/rule-types/es-query.asciidoc
View file

@ -60,4 +60,32 @@ image::user/alerting/images/rule-types-es-query-valid.png[Test {es} query return
* An error message is shown if the query is invalid.
+
[role="screenshot"]
image::user/alerting/images/rule-types-es-query-invalid.png[Test {es} query shows error when invalid]
image::user/alerting/images/rule-types-es-query-invalid.png[Test {es} query shows error when invalid]
[float]
==== Match de-duplication
The {es} query rule type performs de-duplication of document matches across rule executions. If you configure the rule with a schedule interval smaller than the time window, and a document matches a query in multiple rule executions, it will be alerted on only once.
Suppose you have a rule configured to run every minute. The rule uses a time window of 1 hour and checks if there are more than 99 matches for the query. The {es} query rule type will do the following:
[cols="3*<"]
|===
| `Execution 1 (0:00)`
| Rule finds 113 matches in the last hour: `113 > 99`
| Rule is active and user will be alerted.
| `Execution 2 (0:01)`
| Rule finds 127 matches in the last hour. 105 of the matches are duplicates that were alerted on in Execution 1, so you actually have 22 matches: `22 !> 99`
| No alert.
| `Execution 3 (0:02)`
| Rule finds 159 matches in the last hour. 88 of the matches are duplicates that were alerted on in Execution 1, so you actually have 71 matches: `71 !> 99`
| No alert.
| `Execution 4 (0:03)`
| Rule finds 190 matches in the last hour. 71 of them are duplicates that were alerted on in Exeuction 1, so you actually have 119 matches: `119 > 99`
| Rule is active and user will be alerted.
|===