[Request] Document enhanced "Execution results" tab on Rule Details page

[nastasha-solomon]

Summary - What’s newly documented for the Execution results tab

1. Execution results table

   • Columns in the new layout: Status, Run type, Timestamp, Execution duration, Alerts created, Message.
   • Row actions: Filter alerts by rule execution ID (and when it’s disabled) and View details (opens the flyout).
   • Filters: Run type, Status, and the execution date/time range (and that it’s separate from the page-level picker).
   • Additional UI changes: States that extra timing, indexing, and gap detail that used to appear via the more table columns and toggles in older versions (is now in the execution details flyout.

2. Execution details flyout

   • How to open it (View details), copyable execution ID, and a flyout fields and how to use them:
     • Message, Source event time range (manual runs), Candidate alerts vs Alerts created, Matched indices, Frozen indices queried, Gap duration, Scheduling delay, Execution duration, Search vs Indexing in the duration breakdown.
   • Cross-links where useful: manual runs, alert suppression, data tiers, fill gaps, Alerts page.

3. Still on the tab (called out under the same H2)

   • The Gaps table and Manual runs table docs remain documented with refs to docs for filling rule execution gaps and running rules manually.

Together, the new material explains what moved from the table into the flyout in 9.4+, what’s still in the table, and how to read each part of the flyout for troubleshooting and performance.

Fixes #5625.

Generative AI disclosure

1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?

• Yes
• No

Cursor + Composer 2 fast

[github-actions]

🔍 Preview links for changed docs

⏳ Building and deploying preview... View progress

This comment will be updated with preview links when the build is complete.

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[alaudazzi]

I left a couple of comments for your consideration :)

[nikitaindik]

Thanks for the doc update, @nastasha-solomon! I left a few comments for you.

Also I think we should mention that for rule executions that were logged pre-v9.4.0/pre-last-serverless release some execution data will be missing (because we haven't collected it before).

Here's a screenshot of a flyout for an old execution event:

• No candidate alerts, but has "Alerts created"
• No matched indices, even though "Alerts created"
• Frozen indices queried, Indexing duration are also missing.

[nikitaindik]

Thanks for addressing the feedback, @nastasha-solomon! 🙏 Updates LGTM now.

[nastasha-solomon]

Verified that changes are in serverless prod.

[mdbirnstiehl]

🐦