diff --git a/docs/user/alerting/create-and-manage-rules.asciidoc b/docs/user/alerting/create-and-manage-rules.asciidoc index 670e531350d5b3..6f3b418deabb9f 100644 --- a/docs/user/alerting/create-and-manage-rules.asciidoc +++ b/docs/user/alerting/create-and-manage-rules.asciidoc @@ -55,7 +55,7 @@ Each rule type provides its own way of defining the conditions to detect, but an For example, in an {es} query rule, you specify an index, a query, and a threshold, which uses a metric aggregation operation (`count`, `average`, `max`, `min`, or `sum`): [role="screenshot"] -image::images/es-query-rule-conditions.png[UI for defining rule conditions in an {es} query rule,500] +image::images/rule-types-es-query-conditions.png[UI for defining rule conditions in an {es} query rule,500] // NOTE: This is an autogenerated screenshot. Do not edit it directly. All rules must have a check interval, which defines how often to evaluate the rule conditions. Checks are queued; they run as close to the defined value as capacity allows. diff --git a/docs/user/alerting/images/alert-types-tracking-containment-conditions.png b/docs/user/alerting/images/alert-types-tracking-containment-conditions.png index b328bb05dd0d60..1ff0a03b855126 100644 Binary files a/docs/user/alerting/images/alert-types-tracking-containment-conditions.png and b/docs/user/alerting/images/alert-types-tracking-containment-conditions.png differ diff --git a/docs/user/alerting/images/es-query-rule-conditions.png b/docs/user/alerting/images/es-query-rule-conditions.png deleted file mode 100644 index b2a4aeba332d32..00000000000000 Binary files a/docs/user/alerting/images/es-query-rule-conditions.png and /dev/null differ diff --git a/docs/user/alerting/images/rule-types-es-query-conditions.png b/docs/user/alerting/images/rule-types-es-query-conditions.png index 786d1723688683..e1bbccc1b83d1d 100644 Binary files a/docs/user/alerting/images/rule-types-es-query-conditions.png and b/docs/user/alerting/images/rule-types-es-query-conditions.png differ diff --git a/docs/user/alerting/rule-types/es-query.asciidoc b/docs/user/alerting/rule-types/es-query.asciidoc index 9f17768d1d66d0..99c0e6f965306e 100644 --- a/docs/user/alerting/rule-types/es-query.asciidoc +++ b/docs/user/alerting/rule-types/es-query.asciidoc @@ -81,7 +81,10 @@ This option is not available when you use a grouping field. Generally this value should be set to a value that is smaller than the time window, to avoid gaps in detection. -7. Select a scope value, which affects the <> that are required to access the rule. +7. In the advanced options, you can change the number of consecutive runs that must meet the rule conditions before an alert occurs. + The default value is `1`. + +8. Select a scope value, which affects the <> that are required to access the rule. For example when it's set to `Stack Rules`, you must have the appropriate *Management > {stack-rules-feature}* feature privileges to view or edit the rule. [float] diff --git a/docs/user/alerting/rule-types/geo-rule-types.asciidoc b/docs/user/alerting/rule-types/geo-rule-types.asciidoc index 22c00296013590..af26780a3a6aa1 100644 --- a/docs/user/alerting/rule-types/geo-rule-types.asciidoc +++ b/docs/user/alerting/rule-types/geo-rule-types.asciidoc @@ -29,7 +29,10 @@ image::user/alerting/images/alert-types-tracking-containment-conditions.png[Crea Boundaries data is expected to be static (not updating). Boundaries are collected once when the rule is created and anytime after when boundary configuration is modified. -. Set the check interval, which defines how often to evaluate the rule conditions. +. Set the check interval, which defines how often to evaluate the rule conditions. + +. In the advanced options, you can change the number of consecutive runs that must meet the rule conditions before an alert occurs. + The default value is `1`. Entity locations are queried to determine whether they are contained within any monitored boundaries. Entity data should be somewhat "real time", meaning the dates of new documents aren't older than the current time minus the amount of the interval. diff --git a/docs/user/alerting/rule-types/index-threshold.asciidoc b/docs/user/alerting/rule-types/index-threshold.asciidoc index a91607c71600ea..a5f7c79e1be74e 100644 --- a/docs/user/alerting/rule-types/index-threshold.asciidoc +++ b/docs/user/alerting/rule-types/index-threshold.asciidoc @@ -44,6 +44,9 @@ It determines how far back to search for documents and uses the time field set i 7. Set the check interval, which defines how often to evaluate the rule conditions. Generally this value should be set to a value that is smaller than the time window, to avoid gaps in detection. +8. In the advanced options, you can change the number of consecutive runs that must meet the rule conditions before an alert occurs. +The default value is `1`. + If data is available and all clauses have been defined, a preview chart will render the threshold value and display a line chart showing the value for the last 30 intervals. This can provide an indication of recent values and their proximity to the threshold, and help you tune the clauses.