elastic · taylor-swanson · Apr 10, 2023 · Apr 10, 2023 · Apr 10, 2023
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -301,6 +301,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
 
 - Add metrics for log event processing. {pull}33922[33922]
 - Add metrics documentation for event processing. {issue}34887[34887] {pull}34889[34889]
+- Add note in documentation about 21 event ID clause limit {issue}35048[35048] {pull}35049[35049]
 
 *Elastic Log Driver*
 

@@ -251,7 +251,11 @@ logs.
 `WARN EventLog[Application] Open() error. No events will be read from this
 source. The specified query is invalid.`
 
-If you have more than 22 event IDs, you can workaround this Windows limitation
+In some cases, the limit may be lower than 22 conditions. For instance, using a
+mixture of ranges and single event IDs, along with an additional parameter such
+as `ignore older`, results in a limit of 21 conditions.
+
+If you have more than 22 conditions, you can workaround this Windows limitation
 by using a drop_event[drop-event] processor to do the filtering after
 {beatname_uc} has received the events from Windows. The filter shown below is
 equivalent to `event_id: 903, 1024, 4624` but can be expanded beyond 22