[DOCS] Add information on KQL filtering in APM rules (#170257)

Closes https://github.com/elastic/observability-docs/issues/3160 ## Summary Adds information on KQL filtering in APM rules. ### Checklist - [x] @colleenmcginnis initial draft - [x] @benakansara review * In what version was this initially added? 8.10.0? - [ ] @colleenmcginnis address feedback, merge
2025-04-23 17:28:26 -04:00 · 2023-11-02 09:29:54 -05:00 · 2023-11-02 09:29:54 -05:00 · e5bb85b4b3
commit e5bb85b4b3
parent f1fa4b0b98
2 changed files with 16 additions and 0 deletions
--- a/docs/apm/apm-alerts.asciidoc
+++ b/docs/apm/apm-alerts.asciidoc
@ -103,6 +103,22 @@ Based on the criteria above, define the following rule details:
 * **Group alerts by** - `service.name` `service.environment`
 * **Check every** - `1 minute`

+[NOTE]
+====
+Alternatively, you can use a KQL filter to limit the scope of the alert:
+
+. Toggle on *Use KQL Filter*.
+. Add a filter, for example to achieve the same effect as the example above:
+
+[source,txt]
+------
+service.name:"{your_service.name}" and service.environment:"{your_service.environment}" and error.grouping_key:"{your_error.ID}"
+------
+
+Using a KQL Filter to limit the scope is available for _Latency threshold_, _Failed transaction rate threshold_, and
+_Error count threshold_ rules.
+====
+
 Select the **Email** connector and click **Create a connector**.
 Fill out the required details: sender, host, port, etc., and click **save**.

--- a/docs/apm/images/apm-alert.png
+++ b/docs/apm/images/apm-alert.png